Think Again: Cyberwar
Don't fear the digital
bogeyman. Virtual conflict is still more hype than reality.
BY THOMAS RID |
MARCH/APRIL 2012
"Cyberwar Is
Already Upon Us."
No way. "Cyberwar is coming!" John
Arquilla and David Ronfeldt predicted in a celebrated Rand paper back in 1993.
Since then, it seems to have arrived -- at least by the account of the U.S.
military establishment, which is busy competing over who should get what share
of the fight. Cyberspace is "a domain in which the Air Force flies and
fights," Air Force Secretary Michael Wynne claimed in 2006. By 2012,
William J. Lynn III, the deputy defense secretary at the time, was writing that
cyberwar is "just as critical to military operations as land, sea, air,
and space." In January, the Defense Department vowed to
equip the U.S. armed forces for "conducting a combined arms campaign
across all domains -- land, air, maritime, space, and cyberspace."
Meanwhile, growing piles of books and articles explore the threats of
cyberwarfare, cyberterrorism, and how to survive them.
Time for a reality
check: Cyberwar is still
more hype than hazard. Consider the definition of an act of war: It has to be
potentially violent, it has to be purposeful, and it has to be political. The
cyberattacks we've seen so far, from Estonia to the Stuxnet virus, simply don't
meet these criteria.
Take the dubious story
of a Soviet pipeline explosion back in 1982, much cited by cyberwar's true believers as
the most destructive cyberattack ever. The account goes like this: In June
1982, a Siberian pipeline that the CIA had virtually booby-trapped with a
so-called "logic bomb" exploded in a monumental fireball that could
be seen from space. The U.S. Air Force estimated the explosion at 3 kilotons,
equivalent to a small nuclear device. Targeting a Soviet pipeline linking gas
fields in Siberia to European markets, the operation sabotaged the pipeline's
control systems with software from
a Canadian firm that the
CIA had doctored with malicious code. No one died, according to Thomas Reed, a
U.S. National Security Council aide at the time who revealed the incident in
his 2004 book, At the Abyss;
the only harm came to the Soviet economy.
But did it really
happen? After Reed's account came out, Vasily Pchelintsev, a former KGB head of
the Tyumen region, where the alleged explosion supposedly took place, denied
the story. There are also no media reports from 1982 that confirm such an
explosion, though accidents and pipeline explosions in the Soviet Union were
regularly reported in the early 1980s. Something likely did happen, but Reed's
book is the only public mention of the incident and his account relied on a
single document. Even after the CIA declassified a redacted version of Reed's
source, a note on the so-called Farewell Dossier that describes the effort to
provide the Soviet Union with defective technology, the agency did not confirm
that such an explosion occurred. The available evidence on the Siberian
pipeline blast is so thin that it shouldn't be counted as a proven case of a
successful cyberattack.
Most other commonly
cited cases of cyberwar are even less remarkable. Take the attacks on
Estonia in April 2007, which came in response to the
controversial relocation of a Soviet war memorial, the Bronze Soldier.
The well-wired country found itself at the receiving end of a massive
distributed denial-of-service attack that emanated from up to 85,000 hijacked
computers and lasted three weeks. The attacks reached a peak on May 9, when 58
Estonian websites were attacked at once and the online services of Estonia's
largest bank were taken down. "What's the difference between
a blockade of harbors or airports of sovereign states and the blockade of
government institutions and newspaper websites?" asked Estonian
Prime Minister Andrus Ansip
.
Despite his analogies,
the attack was no act of war. It was certainly a nuisance and an emotional
strike on the country, but the bank's actual network was not even penetrated;
it went down for 90 minutes one day and two hours the next. The attack was not
violent, it wasn't purposefully aimed at changing Estonia's behavior, and no
political entity took credit for it. The same is true for the vast
majority of cyberattacks on record.
Conclusion key element of act of war is
physical violence, which cyber attack lacks
Indeed, there is no
known cyberattack that has caused the loss of human life. No cyberoffense has
ever injured a person or damaged a building. And if an act is not at least
potentially violent, it's not an act of war. Separating war from physical violence makes it a metaphorical notion; it would
mean that there is no way to distinguish between World War II, say, and the
"wars" on obesity and cancer. Yet those ailments, unlike past
examples of cyber "war," actually do kill people.
"A Digital Pearl Harbor Is Only a Matter of Time."
Keep waiting. U.S. Defense Secretary Leon Panetta
delivered a stark warning last
summer: "We could face a cyberattack that could be the equivalent of Pearl
Harbor." Such alarmist predictions have been ricocheting inside the
Beltway for the past two decades, and some scaremongers have even upped the
ante by raising the alarm about a cyber 9/11. In his 2010 book, Cyber War,
former White House counterterrorism czar Richard Clarke invokes the specter of
nationwide power blackouts, planes falling out of the sky, trains derailing,
refineries burning, pipelines exploding, poisonous gas clouds wafting, and
satellites spinning out of orbit -- events that would make the 2001 attacks
pale in comparison.
But the empirical
record is less hair-raising, even by the standards of the most drastic example
available. Gen. Keith Alexander, head of U.S. Cyber Command (established in
2010 and now boasting a budget of more than $3 billion), shared his worst fears
in an April 2011 speech at the University of Rhode Island: "What I'm
concerned about are destructive attacks," Alexander said, "those that
are coming." He then invoked
a remarkable accident at Russia's Sayano-Shushenskaya hydroelectric plant to
highlight the kind of damage a cyberattack might be able to cause. Shortly
after midnight on Aug. 17, 2009, a 900-ton turbine was ripped out of its seat
by a so-called "water hammer," a sudden surge in water pressure that
then caused a transformer explosion. The turbine's unusually high vibrations
had worn down the bolts that kept its cover in place, and an offline sensor
failed to detect the malfunction. Seventy-five people died in the accident,
energy prices in Russia rose, and rebuilding the plant is slated to cost $1.3
billion.
Tough luck for the
Russians, but here's what the head of Cyber Command didn't say:
The ill-fated turbine had been malfunctioning for some time, and the plant's
management was notoriously poor.
On top of that, the key event that ultimately triggered the catastrophe seems
to have been a fire at Bratsk power station, about 500 miles away. Because the
energy supply from Bratsk dropped, authorities remotely increased the burden on
the Sayano-Shushenskaya plant. The sudden spike overwhelmed the turbine,
which was two months shy of reaching the end of its 30-year life cycle,
sparking the catastrophe.
If anything, the
Sayano-Shushenskaya incident highlights how difficult a devastating attack
would be to mount. The plant's washout was an accident at the end of a
complicated and unique chain of events. Anticipating such vulnerabilities
in advance is extraordinarily difficult even for insiders; creating comparable
coincidences from cyberspace would be a daunting challenge at best for
outsiders. If this is the most drastic incident Cyber Command can conjure up,
perhaps it's time for everyone to take a deep breath
"Cyberattacks Are Becoming Easier."
Just the opposite. U.S. Director of National
Intelligence James R. Clapper warned last
year that the volume of malicious software on American networks had more than
tripled since 2009 and that more than 60,000 pieces of malware are now
discovered every day. The United States, he said, is undergoing "a
phenomenon known as 'convergence,' which amplifies the opportunity for
disruptive cyberattacks, including against physical infrastructures."
("Digital convergence" is a snazzy term for a simple thing: more and
more devices able to talk to each other, and formerly separate industries and
activities able to work together.)
Just because there's
more malware, however, doesn't mean that attacks are becoming easier. In fact,
potentially damaging or life-threatening cyberattacks should be more difficult
to pull off. Why? Sensitive systems generally have built-in redundancy and
safety systems, meaning an attacker's likely objective will not be to shut down
a system, since merely forcing the shutdown of one control system, say a power
plant, could trigger a backup and cause operators to start looking for the bug.
To work as an effective weapon, malware would have to influence an active
process -- but not bring it to a screeching halt. If the malicious activity
extends over a lengthy period, it has to remain stealthy. That's a more
difficult trick than hitting the virtual off-button.
Take Stuxnet, the worm
that sabotaged Iran's nuclear program in 2010. It didn't just crudely shut down
the centrifuges at the Natanz nuclear facility; rather, the worm subtly
manipulated the system. Stuxnet stealthily infiltrated the plant's networks,
then hopped onto the protected control systems,intercepted input values from
sensors, recorded these data, and then provided the legitimate controller code
with pre-recorded fake input signals, according to researchers who have studied
the worm. Its objective was not just to fool operators in a control room, but
also to circumvent digital safety and monitoring systems so it could secretly
manipulate the actual processes.
Building and deploying
Stuxnet required extremely detailed intelligence about the systems it was
supposed to compromise, and the same will be true for other dangerous
cyberweapons. Yes, "convergence," standardization, and sloppy defense
of control-systems software could increase the risk of generic
attacks, but the same trend has also caused defenses against the most coveted
targets to improve steadily and has made reprogramming highly specific
installations on legacy systems more complex, not less.
"Cyberweapons Can
Create Massive Collateral Damage."
Very unlikely. When news of Stuxnet broke, the New
York Times reported that the most striking aspect of the new weapon
was the "collateral damage" it created. The malicious program was
"splattered on thousands of computer systems around the world, and much of
its impact has been on those systems, rather than on what appears to have been
its intended target, Iranian equipment," theTimes reported. Such descriptions
encouraged the view that computer viruses are akin to highly contagious
biological viruses that, once unleashed from the lab, will turn against all
vulnerable systems, not just their intended targets.
But this metaphor is
deeply flawed. As the destructive potential of a cyberweapon grows, the
likelihood that it could do far-reaching damage across many systems shrinks.
Stuxnet did infect more than 100,000 computers -- mainly in Iran, Indonesia,
and India, though also in Europe and the United States. But it was so
specifically programmed that it didn't actually damage those machines,
afflicting only Iran's centrifuges at Natanz. The worm's aggressive infection
strategy was designed to maximize the likelihood that it would reach its
intended target. Because that final target was not networked, "all the
functionality required to sabotage a system was embedded directly in the
Stuxnet executable," the security software company Symantec observed in
its analysis of the worm's code. So yes, Stuxnet was "splattered" far
and wide, but it only executed its damaging payload where it was supposed to.
Collateral infection, in short, is not necessarily collateral
damage. A sophisticated piece of malware may aggressively infect many
systems, but if there is an intended target, the infection will likely have a
distinct payload that will be harmless to most computers. Especially in the
context of more sophisticated cyberweapons, the image of inadvertent
collateral damage doesn't hold up. They're more like a flu virus
that only makes one family sick.
"In Cyberspace,
Offense Dominates Defense."
Wrong again. The information age has "offense-dominant
attributes," Arquilla and Ronfeldt wrote in their influential
1996 book, The Advent of Netwar.
This view has spread through the American defense establishment like, well, a
virus. A 2011 Pentagon report on
cyberspace stressed "the advantage currently enjoyed by the offense in
cyberwarfare." The intelligence community stressed the same point in
its annual threat report to
Congress last year, arguing that offensive tactics -- known as vulnerability
discovery and exploitation -- are evolving more rapidly than the federal
government and industry can adapt their defensive best practices. The
conclusion seemed obvious: Cyberattackers have the advantage over
cyberdefenders, "with the trend likely getting worse over the next five
years."
A closer examination
of the record, however, reveals three factors that put the offense at a
disadvantage. First is the high cost of developing a cyberweapon, in terms of
time, talent, and target intelligence needed. Stuxnet, experts speculate, took
a superb team and a lot of time. Second, the potential for generic offensive
weapons may be far smaller than assumed for the same reasons, and significant
investments in highly specific attack programs may be deployable only against a
very limited target set. Third, once developed, an offensive tool is likely to
have a far shorter half-life than the defensive measures put in place against
it. Even worse, a weapon may only be able to strike a single time; once the
exploits of a specialized piece of malware are discovered, the most critical
systems will likely be patched and fixed quickly. And a weapon, even a potent
one, is not much of a weapon if an attack cannot be repeated. Any political
threat relies on the credible threat to attack or to replicate a successful
attack. If that were in doubt, the coercive power of a cyberattack would be
drastically reduced.
"We Need a
Cyberarms Control Agreement."
We don't. Cyberwar alarmists want the United
States to see cybersecurity as a new challenge on a geopolitical scale. They
see cyberspace becoming a new area for military competition with rivals such as
Russia and China, and they believe new cyberarms limitation agreements are
needed to prevent this. There are some rumblings to establish international
norms on this topic: The British government convened a conference in London in
late 2011, originally intended to make the Internet more secure by agreeing on
new rules of the road, and Russia and China proposed at the U.N. General
Assembly last September the establishment of an "international code of
conduct for information security." Now, diplomats are debating
whether the United Nations should try to forge the equivalent of nuclear arms
control in cyberspace.
So, should it? The
answer is no. Attempts to limit cyberweapons through international agreements
have three principal problems. The
first difficulty is drawing the line between cybercrime and potentially
political activity in cyberspace. In January, for instance, a Saudi hacker stole
about 20,000 Israeli credit card numbers from a shopping website and leaked the
information to the public. In retaliation, a group of Israeli hackers broke
into Saudi shopping sites and threatened to release private credit card
information.
Where is the dividing
line? Even if it were possible to distinguish criminal from state-sponsored
political activity, they often use the same means. A second hitch is practical: Verification would be impossible. Accurately counting the
size of nuclear arsenals and monitoring enrichment activities is already a huge
challenge; installing cameras to film programmers and "verify" they
don't design malicious software is a pipe dream.
The third problem is political, and even more fundamental:
Cyberaggressors may act politically, but in sharp contrast with warfare, they
are likely to have a strong interest
in avoiding attribution. Subversion has always thrived
in cyberspace because preserving
one's anonymity is easier to achieve than ironclad attribution. That's
the root of the political problem: Having a few states agree on cyberarms
limitation is about as realistic as a treaty to outlaw espionage and about as
practical as outlawing the general subversion of established order.
"The West Is
Falling Behind Russia and China."
Yes, but not how you
think. Russia and
China are busy sharpening their cyberweapons and are already well steeped
in using them. The Russian military clandestinely crippled Estonia's economy in
2007 and Georgia's government and banks in 2008. The People's Liberation Army's
numerous Chinese cyberwarriors have long inserted "logic bombs" and
"trapdoors" into America's critical infrastructure, lying dormant and
ready to wreak havoc on the country's grid and bourse in case of a crisis. Both
countries have access to technology, cash, and talent -- and have more room
for malicious maneuvers than law-abiding Western democracies poised
to fight cyberwar with one hand tied behind their backs.
Or so the alarmists
tell us. Reality looks quite different. Stuxnet, by far the most sophisticated
cyberattack on record, was most likely a U.S.-Israeli operation. Yes, Russia
and China have demonstrated significant skills in cyberespionage, but the fierceness
of Eastern cyberwarriors and their coded weaponry is almost certainly
overrated. When it comes to military-grade offensive attacks, America and
Israel seem to be well ahead of the curve.
Ironically, it's a
different kind of cybersecurity that Russia and China may be more worried
about. Why is it that those countries, along with such beacons of liberal
democracy as Uzbekistan, have suggested that the United Nations establish an
"international code of conduct" for cybersecurity? Cyberespionage was
elegantly ignored in the suggested wording for the convention, as virtual
break-ins at the Pentagon and Google remain a favorite official and corporate
pastime of both countries. But what Western democracies see as constitutionally
protected free speech in cyberspace, Moscow and Beijing regard as a new threat
to their ability to control their citizens. Cybersecurity has a broader meaning
in non-democracies: For them, the worst-case scenario is not collapsing power
plants, but collapsing political power.
The social
media-fueled Arab Spring has provided dictators with a case study in the need
to patrol cyberspace not only for subversive code, but also for subversive
ideas. The fall of Egypt's Hosni Mubarak and Libya's Muammar al-Qaddafi surely
sent shivers down the spines of officials in Russia and China. No wonder the
two countries asked for a code of conduct that helps combat activities that use
communications technologies -- "including networks" (read: social
networks) -- to undermine "political, economic and social stability."
So Russia and China
are ahead of the United States, but mostly in defining cybersecurity as the
fight against subversive behavior. This is the true cyberwar they are fighting.
= = = = =
= = = = =
Cyberwar Is Already
Upon Us
But can it be
controlled?
BY JOHN ARQUILLA |
MARCH/APRIL 2012
In the nearly 20 years
since David Ronfeldt and I introduced our concept of
cyberwar, this new mode of conflict has become a reality. Cyberwar is here, and
it is here to stay, despite what Thomas Rid and other skeptics think.
Back then, we
emphasized the growing importance of battlefield information systems and the
profound impact their disruption would have in wars large and small. It took
just a few years to see how vulnerable the U.S. military had become to this
threat. Although most information on cyberwar's repercussions -- most notably
the 1997 Eligible Receiver exercise -- remains classified, suffice it to say
that their effect on U.S. forces would be crippling.
Russia waged a cyberwar against Georgia in 2008
Cyberwar waged against
one of America's allies has already proved devastating. When Russian tanks
rolled into Georgia in 2008, their advance was greatly eased by cyberattacks on
Tbilisi's command, control, and communications systems, which were swiftly and
nearly completely disrupted. This was the very sort of online assault Ronfeldt
and I had envisioned, with blitzkrieg-style operations on the ground augmented
by a virtual "bitskrieg."
In some respects, the
Russo-Georgian conflict illuminates the potential of cyberwar in a manner not
unlike the way the Spanish Civil War foreshadowed the rising dominance of air
power 75 years ago, offering a preview of World War II's deadly aerial
bombings. Like air warfare, cyberwar will only become more destructive over
time. For that reason, the Pentagon was right last year to formally designate
cyberspace as a "warfighting domain."
These developments
align closely with our own predictions two decades ago. But another notion
arose alongside ours -- that cyberwar is less a way to achieve a winning
advantage in battle than a means of covertly attacking the enemy's homeland
infrastructure without first having to defeat its land, sea, and air forces in
conventional military engagements.
I have been bemused by
the high level of attention given to this second mode of "strategic
cyberwar." Engaging in disruptive cyberattacks alone is hardly a way to
win wars. Think about aerial bombing again: Societies have been standing up to
it for the better part of a century, and almost all such campaigns have failed.
Civilian populations are just as likely, perhaps even more so, to withstand
assaults by bits and bytes. If highly destructive bombing hasn't been able to
break the human will, disruptive computer pinging surely won't.
Rid seems especially
dubious about the potential for this form of strategic cyberwar. And rightly
so. But there is ample evidence that this mode of virtual attack is being
employed, and with genuinely damaging effects. The 2007 cyberwar against
Estonia, apparently arising out of ethnic Russian anger over removal of a World
War II monument, offered a clear example. The attack was initially highly
disruptive, forcing the government to take swift, widespread measures to
install security patches, improve firewalls, and make strong encryption tools
available to the people. Estonia is small, but one of the world's most wired
countries; 97 percent of its people do all their banking online. Costs
inflicted by the attacks -- from business interruption and disruption to the
need to erect new defenses -- are estimated in the many millions of euros. A
scaled-up version of this kind of cyberwar, to America-sized attacks, would
cause damage in the hundreds of billions of dollars.
The Stuxnet worm, which struck directly at Iranian nuclear-enrichment
capabilities, is another example of strategic cyberattack -- what I prefer to
call "cybotage." But will it achieve the larger goal of stopping Iranian proliferation efforts?
Not on its own, no more than the Israeli air raid on the
Osirak nuclear reactor 30 years ago ended the Iraqi nuclear program. Iraq's pursuit of nuclear technology simply
became more covert after the Osirak attack, and the same will surely hold
true for Iran today.
A key aspect of both Stuxnet
and the Estonian cyberattacks is that the identity of the perpetrators,
though suspected, cannot be known with certainty. This anonymity is also
the case with the extensive cybersnooping campaigns undertaken against
sensitive U.S. military systems since the late 1990s -- and against leading
companies, too, some of which are seeing their intellectual property
hemorrhaging out to hackers. A few of these campaigns have suspected links to
China and Russia, but nothing is known for sure. So these actions, which to my
mind qualify as a low-intensity form of cyberwar, have gone unpunished. Rid
himself acknowledges that these sorts of attacks are ongoing, so it seems we
are in agreement, at least about the rise of covert cyberwar.
My deeper concern is
that these smaller-scale cyberwar exploits might eventually scale up, given the
clear vulnerability of advanced militaries and the various communications
systems that cover more of the world every day. This is why I think cyberwar is
destined to play an increasingly prominent role in future wars. Yes, some
cyberweapons do require substantial investment of resources and manpower, as
Rid suggests. But once created, they can be used in ways that easily overcome
existing defenses. Even for those exploits that don't require significant
resources, like the campaign against Estonia, the lesson remains clear: The
advantage lies with those who take the offensive.
The challenge for
cyberwarriors today lies in figuring out how to thwart these various
cyberoffensives. This won't happen if defenders remain dependent on a
cyberspace-based version of the Maginot Line: the "firewalls"
designed to detect viruses, worms, and other tools, and to keep attackers from
intruding into and roaming about one's systems. Like the original Maginot Line,
which failed to protect France in World War II, the firewall is easily outflanked.
Sadly, undue faith in this passive mode of defense means that, right now, far
too much data can be found in fixed places, "at rest." This results
in far too much data remaining at risk, easily located and targeted for
extraction, manipulation, or destruction. Far better to move away from
dependence on firewalls to the ubiquitous use of strong encryption, which
protects data with unbreakable codes, and "the cloud," the vast
expanse of cyberspace in whose far reaches data can be safely secreted and then
swiftly summoned back when needed.
A final aspect of
cyberwar that Ronfeldt and I began contemplating so long ago -- virtual
conflict in the form of society-wide ideological strife -- is also coming to
pass. Such virtual operations, we wrote back
in the early 1990s, would one day extend to "efforts to promote dissident
or opposition movements across computer networks." Clearly, we have seen
this form of conflict take shape in the "color revolutions" of the
past decade and most recently in the Arab Spring; in both cases, the impact of
political activism was greatly enhanced by cyber-enabled social networking
tools and sites. If there is to be more cyberwar in the future, better it
should be what we called "social netwar" than the alternatives.
So, yes, cyberwar has
arrived. Instead of debating whether it is real, we need to get down to the
serious work of better understanding this new mode of war-fighting, which has
been enabled by an information revolution that has brought so much good to the
world, but which at the same time heralds an age of perpetual conflict. What we
really must ask is: Can cyberwar be controlled? Rid implies that international
cooperation to do so is doomed, but I'm not so sure. Pledges not to employ
cyberattacks against purely civilian targets, for example, may be genuinely
worthwhile -- at least for nations, if not for shadowy networks. But networks,
too, may come to follow some kind of code of behavior. Even the loosely linked
cyber vigilante group Anonymous takes considerable pains to explain the
rationales for its actions.
So here's hoping that,
amid the looming havoc of cyberwars to come, there will also be prospects for
cyberpeace
