The Hon. Christopher A. Ford
New Paradigms Forum -- International Security Policy Since 2009
Blog Layout
Welcome to Cyber Geopolitics
Dr. Christopher Ford • Mar 16, 2021
Dr. Ford's remarks to the Global Counter-Terrorism Center (GCTC) conference on "Cyber and Information Security,"
New Delhi, India (March 16, 2021) [as prepared]:
I would like to focus my remarks today upon the emergence of the cyber realm as a new “battlespace” – not merely in the context of actual warfighting, if it were to come to it, but also in connection with broader dynamics of peacetime strategic signaling, coercive pressures, and potential deterrence dynamics. The views I will express here are entirely my own, and do not necessarily reflect those of anyone else. Nevertheless, I feel these issues to be very important, and I am glad of the chance to discuss them with you.
It has been clear for some time that activities in cyberspace can indeed have real-world effects, and that the threat presented by malicious cyber activity is not limited simply to its impact upon computer systems themselves. As early as 2007, for instance, work at the Idaho National Laboratory demonstrated that one could manipulate control signals sent to a commercially available electric power generator – and potentially to other sorts of electrical motor or rotating equipment – in ways that resulted in it being literally, physically, destroyed.
It’s also been clear for some time that computer problems in an industrial facility’s supervisory control and data acquisition (SCADA) systems are capable of producing catastrophic “real-world” physical system failures. Such a failure in California in 2010 reportedly
helped produce a pipeline explosion that killed eight persons and destroyed 37 homes, while a malicious cyber hack against a German steel factory in 2014 apparently caused a series of equipment failures across the plant and damage to a blast furnace.
The STUXNET code that came to light in 2010 was another early example of how cyber tools targeting industrial control systems (ICS) could have direct physical consequences. It caused impressively targeted damage to cascades of uranium enrichment centrifuges at Iran’s Natanz enrichment facility – but this was hardly the last example of cyber tools used to cause “real-world” physical harm. Disruptive cyber attacks originating in Russia also occurred in 2015 and 2016 against the electricity distribution system in Ukraine, resulting in several outages that caused perhaps 225,000 customers to lose power across various areas – and in the middle of the Ukrainian winter, no less. And, in 2017, the Russian “NotPetya” virus attack started in Ukraine and thereafter rampaged across the Internet causing widespread chaos around the world, including billions of dollars in economic losses and the disruption of operations at major container ports, large businesses, and industrial concerns.
Such instances clearly suggest that future strategists and warplanners will need to consider the possibility of an adversary deliberately mounting what the U.S. Defense Science Board (DSB) has called
a “catastrophic attack upon critical civilian infrastructure.” As early as 2017, the U.S. Department of Energy
warned that “the U.S. [electric] grid faces imminent danger from cyber attacks,” and that
“[w]idespread disruption of electric service because of a transmission failure initiated by a cyber attack at various points of entry could undermine U.S. lifeline networks, critical defense infrastructure, and much of the economy; it could also endanger the health and safety of millions of citizens.”
That same year, the Defense Science Board issued a strongly-worded report finding that “[a] large-scale cyber attack on civilian critical infrastructure could cause chaos by disrupting the flow of electricity, money, communications, fuel, and water.” Thus far, the Board warned, “we have only seen the virtual tip of the cyber attack iceberg.”
So concerned about such targeting was the U.S. President’s National Infrastructure Advisory Council, in fact, that it warned in August 2017
about the danger of a cyber attack that could damage or disrupt critical U.S. infrastructure that deliver vital services – particularly electricity and financial services.” “[W]e find ourselves,” the Council declared grimly, in a “cyber moment” analogous to that facing the United States in the counter-terrorism realm before the devastating attacks on New York and Washington, D.C., of September 11, 2001. (These warnings, by the way, echoed those issued in 2012 by President Obama’s then-Secretary of Defense Leon Panetta, who talked of the possibility of a “cyber Pearl Harbor.” This is clearly a bipartisan concern in Washington.)
Nor is this just an American concern. The Australian Home Affairs Minister has pointed out, for example, the potential consequences of a successful cyber attack on critical infrastructure could indeed be catastrophic. As he put it, “[a] prolonged and widespread failure in the energy sector … could cause knock-on disruptions to other essential systems including medical, transport, traffic management systems, banking services or even the supply of food and groceries.”
Similarly, in the United Kingdom, the outgoing director of the National Cyber Security Center also recently warned
that “a ‘national cyber emergency’ due to a ‘category one’ cyber attack on our national infrastructure, which could cause loss of life or severe economic damage, has moved closer to probability.” Such an occurrence, it was said, “feels very much like it’s a matter of ‘when, not if.’”
Nor is the possibility of such an attach merely a hypothetical problem. According to the U.S. Defense Science Board, “Russia and China are increasing their already substantial capabilities to hold U.S. critical infrastructure at risk by cyber targeting of inherently vulnerable ICT and ICS architectures.”
In 2014, the then-director of the U.S. National Security Agency testified
that “China and ‘one or two’ other countries” were already “capable of mounting cyber attacks that would shut down the [U.S.] electric grid and other critical systems.” And the U.S. Director of National Intelligence testified before Congress in January 2019, in the U.S. Intelligence Community’s Worldwide Threat Assessment, that
“China has the ability to launch cyber attacks that cause localized, temporary disruptive effects on critical infrastructure – such as disruption of a natural gas pipeline for days to weeks – in the United States. ... Moscow is now staging cyber attack assets to allow it to disrupt or damage U.S. civilian and military infrastructure during a crisis .... Russia has the ability to execute cyber attacks in the United States that generate localized, temporary disruptive effects on critical infrastructure – such as disrupting an electrical distribution network for at least a few hours – similar to those demonstrated in Ukraine in 2015 and 2016. Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.”
And I myself issued a public warning along these lines last year
when performing the duties of the U.S. Under Secretary of State for Arms Control and International Security, noting that the United States faces “growing threats to our critical infrastructure from PRC and Russian efforts to prepare for possible all-out warfare in the cyber domain.” “The trend is clear,” I cautioned, “and things are worsening.”
Indeed, so grave is the potential threat U.S. officials see to be emerging, that in the name of deterring the worst such attacks, the U.S. Defense Department’s Nuclear Posture Review
of 2018
took pains to emphasize that the United States does not rule out even the possible use of nuclear weapons in response to a sufficiently “significant non-nuclear strategic attack.” The term “significant non-nuclear strategic attack” was a term new to the U.S. strategic lexicon, but it was expressly said to include, but not to be limited to,
“attacks on the U.S., allied, or partner civilian population or infrastructure, and attacks on U.S. or allied nuclear forces, their command and control, or warning and attack assessment capabilities.”
This 2018 declaration elaborated upon pre-existing declaratory policy
about the “extreme circumstances” in which Washington might consider the threat or use of nuclear weapons, by making clear both that (a) the gravest of cyber threats could indeed rise to the level of “strategic” significance and that (b) the United States did not entirely foreswear the possibility of a potential nuclear response in the event of a significant enough cyberattack catastrophe.
The Nuclear Posture Review
did not explicitly say that cyber attacks might fall within this new category of “significant non-nuclear strategic attack,” but that was very much the case. As I myself put it when in government last year, this additional clarity was “a critical new element in U.S. nuclear declaratory policy.” Lest there be “any confusion about whether a cyber attack could potentially constitute a ‘significant non-nuclear strategic attack,’” I said, “I can say with confidence that it most certainly could if it caused kinetic effects comparable to a significant attack through traditional means.”
If all this sounds to you like good reason for all of us to sit up and take notice, I would agree. The message I would like to convey to conference attendees today, therefore, is that we must all do more to engage with the existence of cyberspace as a new domain of conflict. Specifically, we need to grapple with the issues raised in this new domain not just at the “low end” of ongoing cyber mischief such as denial-of-service harassment, ransomware and criminal attacks, intellectual property theft, and even measures to impede military command-and-control in time of conflict.
We also need to engage with the possibility of “high end” of attacks from state-level adversaries that are intended to create potentially catastrophic cascading “system effects” across a target country’s physical infrastructure and civilian economy. We must come to grips with these challenges, moreover, not merely in the sense of being better prepared to stop or mitigate the effects of such an assault in the event of crisis.
We must also prepare ourselves for living, on an ongoing basis, in a world in which geopolitical maneuvering and competition is played out in part through cyberspace. That means being ready for a world in which express or implied threats and dynamics of strategic signaling, coercive pressure, and deterrent dynamics play out in the cyber realm as they have in traditional “kinetic” realms for a long time.
I do not mean to suggest, of course, that these dynamics will necessarily look or operate in exactly the same way in and through cyberspace as they do in other domains. They may end up working rather differently, at least in some respects. My point is merely that they will
be there, and that we would be quite ill-advised not to try to be ready for them.
To my eye, such an engagement with strategic cyber policy is not “optional.” Whether we like it or not, to a great extent, we already live in such a world.
Cyber-signaling for coercive or intimidation purposes seems already to occur, and it is likely to accelerate. This is, I submit, of special significance for the United States and India – the world’s largest democracies, and ever-better strategic partners in a dangerous and competitive environment – for we both face increasing challenges from the steadily more powerful and aggressive regional and global revisionism of the People’s Republic of China.
Beijing, after all, seems in no way above a bit of cyber-bullying. As I have pointed out elsewhere, not long ago, in what “might perhaps have been an interesting bit of perception management,”
“a Chinese news documentary about the country’s military that was broadcast on one of China’s government-run CCTV channels recently broadcast a brief clip that appears to show a cyber attack in progress. In a mere six seconds of ‘B roll’ footage … the program showed a computer screen at a Chinese military university while its user selected from a drop-down list of compromised sites a U.S.-based web address belonging to the Falungong spiritual group. The user then employed a mouse to click an on-screen button labeled ‘attack.’”
More recently – and in much more sinister a fashion – news reports
have suggested that in response to skirmishing between Chinese and Indian troops
in the high Himalayan mountains between Ladakh and Aksai Chin during the summer of 2020, “Chinese malware was flowing into the control systems that manage electric supply across India, along with a high-voltage transmission substation and a coal-fired power plant,” as well as a nuclear power plant. Except for some that seems to have been associated with a blackout in Mumbai, most of this code was allegedly never actually activated, but according to the New York Times,
at least, this was merely
“the latest example of how the conspicuous placement of malware in an adversary’s electric grid or other critical infrastructure has become the newest form of both aggression and deterrence – a warning that if things are pushed too far, millions could suffer.”
As seen from here in Washington, such threats acquired special prominence in the wake of the infamous “SolarWinds” hack discovered in 2020 – which was said by U.S. officials to be “likely of Russian origin,” and which penetrated the monitoring and management software for a major American cybersecurity company by compromising that company’s own software supply chain. According to press reports, the Russian hackers used this compromise to hijack the company’s own ongoing relationship of cybersecurity software updates for its public and private sector customers, implanting software “back doors” as customers’ software was routinely and automatically updated. Up to 18,000 SolarWinds customers appear to have received the malicious code, and at least nine U.S. federal agencies and about 100 private sector companies were actually compromised.
To be sure, it may turn out that the Solar Winds attack was originally intended for cyber espionage rather than to lay the groundwork for “high-end” infrastructure sabotage and disruption. Nevertheless, when one imagines what could have been done with that sort of access, it certainly puts the point on warnings from the U.S. Defense Science Board
that Russia and China each have a significant and increasing ability to hold at risk the critical infrastructure of any state they consider to be an adversary.
So we do seem already to live in a world of strategic cyber threats, whether we like it or not. The question for our two countries’ policy communities, therefore, is whether we are willing to admit this – and whether we are willing to do the challenging intellectual and programmatic work of devising more effective and deliberate responses.
In the modern world, practitioners of statecraft, strategy, and diplomacy have long attempted to find effective ways to protect and promote national interests in and through conventional military, economic and trade-related, technological, and in some cases even nuclear weapons competition. Especially if our two democracies are to find ways to blunt the dangerous geopolitical revisionism of China’s present-day push to reorganize Asia and the broader international system around itself, it is clear that we are going to have to work ever more closely together not just on those areas of policy and strategy, but on new approaches in cyberspace as well.
Thank you.
-- Christopher Ford
Below appears the text upon which Dr. Ford based his remarks to the Center for Strategic and International Studies (CSIS) Project on Nuclear Issues (PONI) “PONI Scholars” group on March 28, 2024.
Dr. Ford's paper "Nuclear Posture and Nuclear Posturing: A Conceptual Framework for Analyzing China's Nuclear Weapons Policy" was published in February 2024 by the National Institute for Public Policy . You can read the paper on NIPP's website here , or use the button below to download a PDF.
Below is the text of Dr. Ford's comments at an event the American Enterprise Institute on February 13, 2024, on U.S. outbound investment screening.
Below are the remarks Dr. Ford delivered at Columbia University’s School of International and Public Affairs on February 8, 2024.
For a roundtable on December 13, 2023, sponsored by the Society for Risk Analysis and the Stimson Center , Dr. Ford participated in a discussion with Stimson's Debra Decker about nuclear risk reduction and the challenges of leadership in a complex national security environment. You can find materials on the roundtable here , and a video of Dr. Ford's discussion with Ms. Decker here .
Below is the prepared text upon which Dr. Ford drew in making brief remarks at the Carnegie Endowment for International Peace’s “Targeting Workshop” on January 12, 2024.
With 2023 now in our collective rear-view mirror, I thought I’d offer you a handy compilation of my public work product from the last year. The list is heavy on strategic competition with China, of course, but doesn’t omit other topics ( e.g., morality and nuclear weapons policy, nuclear nonproliferation, and North Korea). Keep checking New Paradigms Forum for new material as we move into 2024!
Below are the remarks delivered by Dr. Ford at the “Strategic C ompetition Educators Conference” held on December 7, 2023, at the U.S. Foreign Service Institut e in Arlington, Virginia.
Below are the remarks Dr. Ford delivered at a conference sponsored by the Center for Global Security Research (CGSR) at the Lawrence Livermore National Laboratory (LLNL), on December 5, 2023.
Below are the remarks Dr. Ford delivered at Bacon House in Washington, D.C., on October 6, 2023, to DACOR ’s annal conference. This text has been supplemented with amplifying references to the original (longer) text Dr. Ford prepared for the event.