Dr. Ford delivered the following remarks to a September 21, 2011, meeting of the Louisville Committee on Foreign Relations.
Thank you for inviting me to speak to you today. Having grown up in Cincinnati – not so far upriver – it’s a pleasure to be back in this part of the country. I’m glad the Council is interested in the national security challenges of contemporary cyberspace, and I appreciate the chance to chat with you.
It’s certainly no secret that modern developed economies – and most participants therein – are today hugely dependent upon computer networks in ways far too numerous to describe here. Much the same is true for modern militaries, and the operations of government itself.
It is also widely understood these days that there is a sizeable universe of “bad guys” out there who seek to take advantage of modern computer networking to accomplish various illicit ends. On the more benign end of the spectrum, we have all gotten “spam” e-mail solicitations – which are nowadays generated automatically by the billions – and are probably aware that a good portion of these are fraudulent. But cyber criminals also routinely break into networks in order to steal money, personal information, corporate secrets, or other data. Either for fun or profit, or perhaps both, hackers frequently compromise supposedly secure databases, vandalize or crash websites, and cause all sorts of other problems.
From a national security perspective, however, the most interesting and potentially problematic cyber intrusions are those that may arrive from, or at the behest of, foreign governments. Cyber espionage is already a troubling fact of life in both the corporate and the national security world, and there is widespread awareness that the tools involved in achieving the network access needed to steal data are essentially the same as those needed to manipulate systems or simply shut them down. Given how dependent the instruments of national power are on networked computer systems, the next serious war between modern states may well feature significant cyber “attack” components.
The potential for cyber manipulation, even to the point of creating destructive effects, is fairly well understood. One example to which people sometimes point is the example of the Shushenskaya hydroelectric plant in Siberia, part of which was destroyed in 2009 by a surge of high-pressure water when an employee remotely logged in to its operating system and accidentally activated an unused turbine with an errant keystroke. That episode was inadvertent, but no one doubts that clever programmers can make rather bad things happen in the physical world by tinkering with the computers that control so many processes and procedures in modern life.
And such destructive physical effects are, to some degree, just icing. From a national security perspective, some of the biggest potential problems might come from the simple unavailability of critical infrastructure or vital computer systems in time of crisis. Even more exotically, it is possible for systems to be hijacked and pressed into service by an adversary. Imagine what you could do to an enemy, for example, if you were able secretly to access the networks controlling his air defense system and control what data it gives him about your attack operations. This is not science fiction: the cutting edge of military electronic warfare includes sophisticated efforts to inject code into enemy systems for precisely such purposes. What was in the past done by radio-frequency radar and communications jamming and “spoofing” on the battlefield may in future conflicts also be done with computer code arriving through thumb drives, “back doors” bored into software packages, airborne or covert platforms transmitting inputs into wireless networks, and various other cyber-facilitated methods.
Sophisticated governments are investing more and more in computer network exploitation (CNE) capabilities, for purposes of both attack and defense, as well as for espionage. This is a very difficult situation to follow, of course, because by comparison to past arms races, the technology involved is all but invisible – it doesn’t appear in military parades and cannot be seen from a reconnaissance satellite – and developers usually keep their capabilities secret.
While cyber tools have appeal to both the weak and the strong, however, it is generally thought that they have a special attractiveness for weaker powers – especially those who anticipate the possibility of confronting a state whose other military capabilities are greater than their own. Cyber conflict has been a subject of study around the world for years because of its potential utility in what is called “asymmetric warfare.” It is thought of as a tool by which weaker powers might “level the playing field” against a stronger state – especially one the military power of which itself depends upon being able to employ computerized command-and-control (C2) and intelligence, surveillance, and reconnaissance (ISR) capabilities.
Compared to such things as ballistic missiles, stealthy bombers, and aircraft carriers, cyber tools are almost absurdly inexpensive. They require relatively little production and support infrastructure, the human capital needed for their development is plentifully available, and cyber crime – which can actually help fund cyberweapon development by rogue actors – is quite profitable. I don’t mean to suggest that truly first-rate cyber weapons can necessarily be developed by a teenage hacker living in his parents’ basement, but it is surely true that in comparison to other militarily-useful tools, CNE technology is very easy to come by.
Presumably for these reasons, the People’s Republic of China (PRC), for example, is believed to have focused increasingly upon the development of cyber capabilities since the mid-1990s, when China’s own capabilities were still terribly inadequate from the perspective of offering Beijing any ability to stand toe-to-toe against the U.S. military machine during the Americans’ post-Soviet “unipolar moment.” The utility of cyber tools as an asymmetric force-multiplier begins to show up in Chinese strategic and military writings at this time, and Beijing is believed to have invested heavily in both defense and offense capabilities.
From the mid-2000s, in fact, U.S. and other Western computer security experts have reported the emergence of what is referred to today as the “Advanced Persistent Threat” (APT) – an ongoing campaign of cyber-probes and network penetrations of considerable complexity and growing sophistication against defense contractors and government networks. Most observers feel that it originates in China. To be sure, attribution in cyberspace is notoriously difficult: it is not hard to conceal one’s point of origin, bouncing probes and attacks through various proxy servers, hijacked compuers, and using other types of “anonymizing” tricks. Even when a state organizes such campaigns, moreover, they may to some extent be carried out not directly by government employees using their office computers but rather by looser groups of “cyber-privateers” or semi-volunteer “hacktivists” marshaled into coalitions of convenience in support of government ends.
Nevertheless, such attribution as has been done, and which can be spoken about in public, does seem to point at Chinese responsibility for most of the APT. Earlier this year, the web security company MacAffee published the results of a remarkable study it undertook of the APT. In this investigation, MacAffee cyber-sleuths – themselves displaying a remarkable degree of CNE skill – apparently gained access to one of the command-and-control servers used by a cyber-actor associated with the APT, an attacker they nicknamed “Shady RAT.” (“Rat” wasn’t meant to be a pejorative, by the way. It’s an acronym for “remote access tool.”) Having turned the tables and gotten inside the attacker’s computer, the investigators downloaded logs of the targets of “Shady RAT” penetrations since mid-2006, when its activities began. This list of victims is fascinating.
According to MacAffee, it is likely that a state was behind “Shady RAT.” To be sure, many of the penetrations were of companies and institutions around the world that seem likely to have yielded economically and commercially valuable information that would be as appealing to organized crime as to an actual government player. Nevertheless, some patterns of penetration stand out for their lack of apparent economic and commercial utility, and their likely political and strategic importance, especially to ... say, China.
Some penetrations, for instance, occurred at the International Olympic Committee, and various Western and Asian national Olympic committees, just before and just after the 2008 Summer Olympics in Beijing – an event the political importance of which to Beijing it is pretty much impossible to overestimate. (As the Games approached, it became almost a cliché to describe them as being seen as Beijing’s “coming out party” – sort of a debutante ball for China’s restored status as a great power – but this observation is no less accurate for the frequency with which is was made.) Penetration also occurred of the World Anti-Doping Agency, which has responsibility for preventing illegal substance abuse of the sort in which governments have sometimes engaged in order to run up their prestigious medal totals at such events. (China, by the way, won a remarkable 51 gold medals at the 2008 games – some 15 more than the United States.)
“Shady RAT” also went after political non-profit organizations with little obvious economic or commercial attractiveness, such as one Western outfit focused upon democracy promotion around the world, a U.S. national security think tank, and a second U.S. think tank. It also penetrated the United Nations, and the Association of Southeast Asian Nations (ASEAN) Secretariat. Additionally, one major U.S. news organization was compromised at its New York headquarters and its Hong Kong office. “Shady RAT” penetrations also included twelve U.S. government agencies, some U.S. state and local governments, some U.S. defense contractors, and government agencies in both India and Canada. Interestingly, while targets were pursued elsewhere in Asia – apparently including South Korea, Taiwan, India, and Vietnam – “Shady RAT” never went after anyone in the vibrant and expanding economy of China. If you’re sensing that this doesn’t sound like just the handiwork of greedy cyber-mafiosi from the Bronx, Antwerp, or Novosibirsk, you’ll be in good company. MacAffee carefully doesn’t say the word “China,” but nobody has missed the point.
Subsequently, in what is generally believed to have been a slip-up – but which might perhaps have been an interesting bit of perception management – a Chinese news documentary about the country’s military that was broadcast on one of China’s government-run CCTV channels recently broadcast a brief clip that appears to show a cyber attack in progress. In a mere six seconds of “B roll” footage, which was quickly removed from the Internet after Western reporters drew attention to it, the program showed a computer screen at a Chinese military university while its user selected from a drop-down list of compromised sites a U.S.-based web address belonging to the Falungong spiritual group. The user then employed a mouse to click an on-screen button labeled “attack.” (Thanks to the magic of the Internet, you can still watch about ten minutes of the CCTV documentary – including the computer “attack” – on YouTube.)
Whatever one makes of all this, the potential U.S. national security issues are quite real. There is no question that the scale of ongoing efforts at cyber-exploitation aimed at U.S. government and defense networks is immense. Last year, the incoming head of the U.S. Cyber Command, General Keith Alexander, estimated that networks belonging to the Department of Defense are “probed” some 250,000 times every hour. So far, these attacks seem designed for network analysis and espionage – rather than for debilitating attack – but no one misses their potential.
And indeed, there have already been formidable costs in terms of information lost. News coverage in 2009 carried reports that a series of unknown attackers had used Chinese Internet sites to break into a computer network associated with the development of the F-35 Joint Strike Fighter (JSF) in order to download terabytes of data about the program. (A terabyte, by the way, is a trillion bytes of information.) More recently, however, it has been reported that this compromise may not have been aimed at the F-35 itself, but rather resulted in the loss of information about a “black” – that is, classified and officially non-existent – program that had to be temporarily halted as a result of the compromise. Apparently, the cyber-assailants were able not only to download stored data, but also to make themselves what the magazine Defense Technology International described as “invisible witnesses to online meetings and technical discussions” on an ongoing basis. Now that’s a penetration!
In what may be a separate incident revealed this past summer by Deputy U.S. Defense Secretary William Lynn, “a foreign intelligence agency” – and here, intriguingly, there were none of the usual waffle words about “unknown attackers” – penetrated a major defense contractor and exfiltrated some 24,000 computer files about a developmental U.S. weapons system. (Apparently this system is currently being reviewed in order to see whether it must be redesigned.)
And so it goes. Not for nothing did the experts studying “Shady RAT” warn that the APT’s “massive hunger for secrets and intellectual property” was causing a
“historically unprecedented transfer of wealth – closely guarded national secrets (including from classified government networks), source code, bug databases, e-mail archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA [supervisory control and data acquisition] configurations, design schematics and much more.”
To be sure, judging by what has been said publicly, these campaigns to siphon information out of global computer networks appear so far not to have crossed the line into actual destructive “attack” operations, though as I noted, the access-giving tools involved are, in many respects, exactly the same. Nevertheless, there have been real attacks in cyberspace, though not so far with much by way of physical damage. This suggests broader potentialities in the national security realm.
One could point to a number of examples. In what is now considered something of a bellwether incident, Estonian computer servers were deluged with denial-of-service and other attacks in the spring of 2007 in the midst of a bitter political dispute with Russia over Estonia’s decision to dismantle a Stalin-era war memorial. In June 2008, Lithuanian systems suffered a similar attack, also during a dispute with Russia over moves to eliminate Soviet-era political symbols. Kyrgyzstan, too, had such an experience in January 2009, just when officials in Moscow were trying to pressure it to close a U.S. airbase there. Networks in the Republic of Georgia also suffered debilitating attacks in 2008 as Russian forces went to war against the country. Debate has swirled about whether there was an official Russian government hand in these various assaults – which were real attacks, and to my knowledge did not involve espionage – but the coincidences are noteworthy.
In 2009, a number of U.S. Government and South Korean websites were subjected to attacks which some observers felt to have originated in North Korea, and which indeed were consistent with South Korean warnings earlier that year suggesting that Pyongyang had recently established a cyberwarfare unit. Moreover, in what is to my knowledge the first incident in which government officials have been willing to go on the record in pointing the finger at a state cyber-attacker, a senior South Korean government investigator last month described an April 2011 attack that disabled servers and destroyed databases supporting a major South Korean bank as an “unprecedented act of cyberterror involving North Korea.”
So whether the issue is cyber espionage or outright cyber-attack – with respect to which one could argue we’re living on borrowed time, facing potential adversaries keen to use cyber tools to make up for imbalances in regular military power – there is every reason for U.S. authorities to take cyber defense policy very seriously indeed. Fortunately, it would seem that we are trying to do so.
In both the U.S. government and our private sector, cybersecurity these days receives a significant amount of time and money. This is an ongoing game of cat-and-mouse, with hackers and defenders continually sparring, and each working to counter the other’s latest approaches. But while notable problems have occurred it must also be noted that most of probes launched against defense contractors and government networks do not get through. I’m in no position to tell you who’s winning the game, but it’s certainly still being played, and U.S. authorities seem increasingly focused upon these problems.
The United States, moreover, has established a new Cyber Command within the military command structure, “double-hatting” as its head the director of the National Security Agency – the military spy organization that leads U.S. signals intelligence (SIGINT) efforts worldwide, including whatever cyber-espionage we might happen to do. U.S. officials have also begun to speak more clearly, though still mostly not “on the record,” about deterring cyber attack, making clear that Washington will regard destructive cyber attacks as the equivalent of physical attacks – which is to say, as things for which military retaliation may be made.
Interestingly, American officials have also taken the position that cyberspace is not terra incognita when it comes to the law of armed conflict. It may be a “battlespace” stranger than most others, but our government believes that time-tested military principles of military law still apply there – principles such as the customary international legal rules tying the use of force to military necessity and to a notion of proportionality, and those requiring reasonable efforts at discrimination between military and civilian targets. Not everyone agrees, of course, with the Chinese, for instance, apparently having taken the view that the law of war doesn’t apply at all in cyberspace. This issue is very much in play.
In this regard, as I have pointed out on my website, we may be seeing the evolution of cyber weaponry toward forms the use of which might be compatible with law-of-war norms – forms in which cyber-attack could be “normalized” as a military tool alongside the full spectrum of other techniques of organized state violence. This is fascinating stuff, and worth a few words before I conclude.
Perhaps the most stereotypical form of computer attack on an adversary’s network, the injection of self-replicating malware that spreads itself throughout victim’s networks, has long been felt to suffer from problems of controllability. The ability to limit the effects of an attack to a particular target is obviously a key aspect of the “usability” of cyber tools, as with other weapons, and is likely a major factor in their legality as a weapon of war as well.
According to some press accounts, however, controllability has long been an operational worry in U.S. eyes. It has been said, for instance, that during the first Gulf War, Iraq’s French-built air defense network could have been taken down with the proverbial computer keystroke, but U.S. planners worried that these effects might spread to the broader Iraqi computer network and even to French systems. One American general later told Aviation Week & Space Technology that “[w]e were afraid we were going to take down all the automated banking machines in Paris.” In such circumstances, responsible cyber-players may feel strong pressures to stay their hand in all but the most extreme circumstances, leaving offensive cyber operations to the irresponsible actors – most obviously, rogue states or terrorists – in a sort of unilateral cyber self-deterrence.
If cyber-war coders, however, were able to acquire confidence in their ability to limit the extent of damage caused by an attack – and indeed were able reliably to estimate such effects, much as military weaponeers do with their physical (a.k.a. “kinetic”) tools – things might be very different. For this reason, I suspect that behind the scenes, there is considerable “evolutionary pressure” for the development of cyber-attack tools that act more like kinetic “precision-guided munitions” (PGMs) than “weapons of mass destruction.”
In my own view, one possible product of such evolutionary pressure – and, in any case, by far the most sophisticated actual cyber attack about which any information is publicly available – is the “StuxNet” computer worm that was used against Iran’s nuclear facilities. Press accounts have suggested that StuxNet was a joint Israeli and American effort, but for present purposes this is not relevant. What strikes me as most interesting about the worm was that it seems to have been designed to target one or two very specific facilities: the steam turbine at Iran’s Bushehr nuclear reactor and the uranium-enrichment centrifuge cascades at Iran’s Natanz enrichment facility.
StuxNet, it would appear, was code designed to attach itself to a particular proprietary software package made by the German company Siemens as a “supervisory control and data acquisition” (SCADA) management system for industrial plants. As such, it seems to have self-propagated widely around the world in a classically cyber-contagious fashion, “infecting” perhaps 45,000 separate computers or networks, and installing in each a secret software “back door” to the Internet.
The key thing, however, is that StuxNet seems designed to do nothing on all these various systems unless and until the specific configuration of an industrial plant corresponds exactly to detailed pre-set specifications that precisely match the “targeted” Iranian facilities. If there is such a match, the software goes to work, downloading into the plant’s control system a cyber “warhead” in the form of code designed to manipulate and damage the facility. (Intriguingly, by the way, it was apparently intended that this damage be very subtle, going largely unnoticed for long periods of time – thus acting more like a mysteriously debilitating disease rather than an easily-categorizable “attack.” StuxNet also fed misleading data to the systems’ users to lead them astray as they tried to figure out why things weren’t working quite right. As it has been explained in some public accounts, this was quite a piece of software.) It’s not clear to what extent the worm actually did manage to delay the progress of Iran’s nuclear program, but to my eye StuxNet is fascinating as the first known example of a cyber-PGM. Whoever was actually responsible, I’d wager that StuxNet has given us – for better or for worse – a glimpse of the cyber future.
No one, of course, is sure precisely where all of this is going. It has long been a big part of the conventional wisdom of the cyber-commentariat that (a) attack attribution is impossible, that (b) there is consequently little scope for cyber-“deterrent” signaling and other strategic gamesmanship in the cyber-“battlespace” of the future, and that (c) except for espionage applications, cyber attack tools are inherently uncontrollable and relatively unusable for anyone except nihilistic cyber-terrorists. My own guess is that this conventional account is overblown, and perhaps in important ways simply wrong.
Time will tell, and I cannot claim to do more than guess here. I have heard it said that we are today at the “Wright Brothers” phase of cyberconflict technology. If so, there is a very long road ahead before one can begin to talk about a “mature” battlespace. Accordingly, while we may perhaps dimly glimpse that something big is afoot, for good or ill, we are in little position to know exactly what. Clearly, however, this is a national security issue we ignore at our peril.
Thank you. I look forward to our discussions.
-- Christopher Ford