Cyber War: The Next Threat to National Security and What to Do About It (25 page)

Somebody
should
say that, because, of course, it’s true. But would they? Very unlikely. The most senior American military officer just learned less than two years ago that his operational network could probably be taken down by a cyber attack. The Obama White House did not get around for a year to appointing a “cyber czar.” America’s warriors think of technology as the ace up their sleeves, something that lets their aircraft and ships and tanks operate better than any in the world. It comes hard to most of the U.S. military to think of technology as something that another nation could use effectively against us, especially when that technology is some geek’s computer code and not a stealthy fighter-bomber.

So, we cannot deter other nations with our cyber weapons. In fact, other nations are so undeterred that they are regularly hacking into our networks. Nor are we likely to be deterred from doing things that might provoke others into making a major cyber attack. Deterrence is only a potential, something that we might create in the mind of possible cyber attackers if (and it is a huge if) we got serious about deploying effective defenses for some key networks. Since we have not even started to do that, deterrence theory, the sine qua non of strategic nuclear war prevention, plays no significant role in stopping cyber war today.

2. NO FIRST USE?

One of the first things you should have noticed about the scenario in our hypothetical exercise was the idea of
going first
. In the absence of any strategy to the contrary, the U.S. side in the hypothetical exercise took the first move in cyberspace by sending out an insulting e-mail on what China thought was its internal military e-mail system and
then by initiating what the U.S. team hoped would be a limited power blackout. The strategic goal was to signal both the seriousness with which the U.S. viewed the crisis and the fact that the U.S. had some potent capabilities. Cyber Command’s immediate tactical objective was to slow down the loading of the Chinese amphibious assault force, to buy time for U.S. diplomats to talk China out of its planned operation.

In nuclear war strategy, the Soviet Union proposed that we and they agree that neither side would be the first to use nuclear weapons in a conflict. The U.S. government never agreed to the No First Use Declaration, preserving for itself the option to use nuclear weapons to offset the superior conventional forces of the Soviet Union. (My onetime State Department colleague Jerry Kahan once asked a Soviet counterpart why they kept suggesting we ban orange juice. When the Russian denied making such a proposal, Jerry retorted, “But you’re always running around saying ‘no first juice.’”) Should we incorporate a No First Use approach in our cyber war strategy?

There is no conventional military force in the world superior to that of the U.S., assuming that the U.S. military is not blinded or disconnected by a cyber attack. Therefore, we do not need to hold open the prospect of going first in cyberspace to compensate for some other deficiency, as we did in nuclear strategy. Going first in cyber war also makes it more politically acceptable in the eyes of the world for the victim of the cyber attack to retaliate in kind, and then some. Given our greater vulnerability to cyber attack, the U.S. may not want to provoke a cyber phase to a war.

However, forswearing the use of cyber weapons until they have been used on us could mean that if a conventional war broke out, we would not defend our forces by such things as cyber attacks on our opponent’s antiaircraft missile systems. The initial use of cyber war in the South China Sea scenario was a psychological operation on China’s internal military network, sending a harassing e-mail with a
picture of a sinking Chinese ship. Should that be considered a first use of cyber war?

Moreover, the scenario presented a problem that if you do not go first in cyberspace, your ability to conduct cyber attack may be reduced by the other side stepping up both its defensive measures (for example, China cutting off its cyberspace from the rest of the world) and its offensive measures (including attacks that disrupted U.S. networks that may be necessary for some of the U.S. attacks to be launched). Whether we say it publicly or maintain it as an internal component of our strategy, if we were to accept the concept of No First Use in cyber war we would require a clear understanding of what constitutes “use.” Is penetration of a network a cyber war act? When the network penetration goes beyond just collecting information, does the act then move from intelligence operations to cyber war? Any ban on “first use” would probably only apply prior to kinetic shooting. Once a war goes kinetic, most bets are off.

3. PREPARATION OF THE BATTLEFIELD

Another thing that you should have caught is that it appears that both sides had hacked into each other’s systems well before the exercise began. In the real world, they probably have actually done just that. How much of this is done and who approves it is an issue to be reviewed when creating a strategy.

If CIA sends agents into a country to conduct a survey for possible future sabotage and they leave behind a cache of weapons and explosives, under U.S. law such activity is considered covert action and requires a Presidential finding and a formal notification of the two congressional intelligence committees. In recent years, the Pentagon has taken the view that if it conducts some kind of covert action, well, that’s just preparation of the battlefield and no one needs
to know. The phrase “preparation of the battlefield” has become somewhat elastic. The battle does not need to be imminent, and almost anyplace can be a battlefield someday.

This elasticity has also been applied to cyber war capability, and apparently not just by the United States. In the hypothetical exercise, both the U.S. and China opened previously installed trapdoors in the other country’s networks and then set off logic bombs that had been implanted earlier in, among other places, the electric power grids. Beyond the exercise, there is good reason to believe that someone actually has already implanted logic bombs in the U.S. power grid control networks. Several people who should know implied or confirmed that the U.S. has also already engaged in the same kind of preparation of the battlefield.

Imagine if the FBI announced that it had arrested dozens of Chinese government agents running around the country strapping C4 explosive charges to those big, ugly high-tension transmission line towers and to some of those unmanned step-down electric substation transformers that dot the landscape. The nation would be in an outrage. Certain Congressmen would demand that we declare war, or at least slap punitive tariffs on Chinese imports. Somebody would insist that we start calling Chinese food “liberty snacks.” Yet when the
Wall Street Journal
announced in a headline in April 2009 that China had planted logic bombs in the U.S. grid, there was little reaction. The difference in response is indicative mainly of the Congress, the media, and the public’s inexperience with cyber war. It is not reflective of any real distinction between the effects those logic bombs could have on the power grid, compared to what little parcels of C4 explosives might do.

The implanting of logic bombs on networks such as the U.S. power grid cannot be justified as an intelligence-collection operation. A nation might collect intelligence on our weapon systems by hacking into Raytheon’s or Boeing’s network, but there is no infor
mational value in being inside Florida Power and Light’s control system. Even if there were valuable data on that network, logic bombs do not collect information, they destroy it. The only reason to hack into a power grid’s controls, install a trapdoor so you can get back in quickly later on, and leave behind computer code that would, when activated, cause damage to the software (and even the hardware) of the network, is if you are planning a cyber war. It does not mean that you have already decided to conduct that war, but it certainly means that you want to be ready to do so.

Throughout much of the Cold War and even afterward there were urban legends about Soviet agents sneaking into the U.S. with small nuclear weapons, so-called suitcase bombs, that could wipe out U.S. cities even if Russian bombers and missiles were destroyed in some U.S. surprise attack. While both the Soviets and the U.S. did have small weapons (we actually had a few hundred called the Medium Atomic Demolition Munitions, or MADM, and another bunch called the Small Atomic Demolition Munitions, or SADM, which were designed to be carried in a backpack), there is no evidence that either side actually deployed them behind the other’s lines. Even at the height of the Cold War, decision makers thought that actually sending the MADMs out onto the streets would be too destabilizing.

How is it, then, that Chinese, and presumably U.S., decision makers have authorized placing logic bombs on the territory of the other? It is at least possible that high-level officials in one or both countries never approved the deployments and do not know about them. The cyber weapons might have been implanted on the authority of military commanders acting under their authority to engage in preparation of the battlefield. There is a risk that senior policy makers will be told in a crisis that the other side has planted logic bombs in preparation for war and will view that as a new and threatening development, causing the senior policy makers to ratchet up their response in the crisis. Leaders may be told that since it is obvious the
other side intends to crash our power grid, we should go first while we still can. Another risk is that the weapon may actually be used without senior-level approval, either by a rogue commander or by some hacker or disgruntled employee who discovers the weapon.

Cyber warriors justify the steps they have taken in preparation of the battlefield as necessary measures to provide national decision makers with options in a future crisis. “Would you want the President to have fewer courses of action to choose from in some crisis?” they would say. “If you want him to have the choice of a nonkinetic response in the future, you have to let us get into their networks now. Just because a network is vulnerable to unauthorized penetration now does not mean it will be so years from now when we may want to get in.”

Networks are constantly being modified. An electric power transmission company might one day buy an effective intrusion-prevention system (IPS) that would detect and block the techniques we use to penetrate into the network. But if we can get into the network now, we can leave behind a trapdoor that would appear to any future security system as an authorized entry. Getting onto the network in the future is not enough, however; we want to be able to run code that makes the system do what we want, to malfunction. That future IPS might block the downloading of executable code, even by an authorized user, without some higher level of approval. Thus, if we can get into the system now, we should leave behind the instruction code to override surge protection or cause the generators to spin out of synchronization, or whatever method we have to disrupt or destroy the network or the hardware it runs.

That sounds persuasive at one level, but are there places where we do not want our cyber warriors preparing the battlefield?

4. GLOBAL WAR

In our hypothetical exercise, the Chinese response aimed at four U.S. navy facilities but spilled over into several major cities in four countries. (The North American Interconnects link electric power systems in the U.S., Canada, and parts of Mexico.)

To hide its tracks, the U.S., in this scenario, attacked the Chinese power grid from a computer in Estonia. To get to China from Estonia, the U.S. attack packets would have had to traverse several countries, including Russia. To discover the source of the attacks on them, the Chinese would probably have hacked into the Russian routers from which the last packets came. In response, China hit back at Estonia to make the point that nations that allow cyber attacks to originate from their networks may end up getting punished even though they had not intentionally originated the attack.

Even in an age of intercontinental missiles and aircraft, cyber war moves faster and crosses borders more easily than any form of hostilities in history. Once a nation-state has initiated cyber war, there is a high potential that other nations will be drawn in, as the attackers try to hide both their identities and the routes taken by their attacks. Launching an attack from Estonian sites would be like the U.S. landing attack aircraft in Mongolia without asking for permission, and then, having refueled, taking off and bombing China. Because some attack tools, such as worms, once launched into cyberspace can spread globally in minutes, there is the possibility of collateral damage as these malicious programs jump international boundaries and affect unintended targets. But what about collateral damage in the country that is being targeted?

5. COLLATERAL DAMAGE AND THE WITHHOLD DOCTRINE

Trying to strike at navy bases, the two cyber combatants hit the power plants providing the bases electricity. In so doing, they left large regions and scores of millions of people in the dark because electric power grids are extremely vulnerable to cascading failures that move in seconds. In such a scenario there would probably be dozens of hospitals whose backup generators failed to start. The international laws of war prohibit targeting hospitals and civilian targets in general, but it is impossible to target a power grid without hitting civilian facilities. In the last U.S.-Iraq War, the U.S. campaign of “Shock and Awe” employed precision-guided munitions that wiped out targeted buildings and left structures across the street still standing. While being careful with bombs, the U.S. and other nations have developed cyber war weapons that have the potential to be indiscriminate in their attacks.

In the cyber war game scenario, U.S. Cyber Command was denied permission to attack the banking sector. In the real world, my own attempts to have NSA hack into banks to find and steal al Qaeda’s funds were repeatedly blocked by the leadership of the U.S. Treasury Department in the Clinton Administration. Even in the Bush Administration, Treasury was able to block a proposed hacking attack on Saddam Hussein’s banks at the very time that the administration was preparing an invasion and occupation in which over 100,000 Iraqis were killed. Bankers have successfully argued that their international finance and trading system depends upon a certain level of trust.