Cyber War: The Next Threat to National Security and What to Do About It (29 page)

Fourth, the U.S. military is highly vulnerable to cyber attack. The U.S. military is “netcentric,” bringing access to databases and information further down into the operation of every imaginable type of military organization. Along with that access to information systems has come dependence upon them. One small sign of things to come was reported in late 2009. Insurgents in Iraq had used twenty-six-dollar software to monitor the video feeds of U.S. Predator drones through an unencrypted communications link. While not directly threatening to American troops, the discovery raises questions about the Pentagon’s beloved new weapon. What if the unencrypted signal could be jammed, thus causing the drone to return home? American forces would be denied one of their most valuable tools and an off-the-shelf program would defeat the product of millions of dollars of research and development. U.S. forces, in addition to being more wired, are also more dependent upon private-sector contractor support than any likely adversary. Even if the U.S. military’s own networks were secure and reliable, those of its contractors, who often rely upon the public Internet, may not be.

Those four asymmetries, taken together, tell us that if we and a potential adversary engaged in unlimited cyber warfare, they might do more damage to us than we could do to them. Having some effective limits on what nations actually do with their cyber war knowledge might, given our asymmetrical vulnerabilities, be in the U.S. national interest. Putting that broad theory into practice, however, would require some precise definitions of what kinds of activity might be permitted and what kinds prohibited.

Often arms control negotiations have found difficulty in achieving agreement on something as basic as a definition of what it is that they were seeking to limit. I sat around the table for months with Soviet counterparts trying to define something as simple as
“military personnel.” For the purposes of discussion in this book, we won’t have that kind of delay. Let’s take the definition we used in chapter 1 and make it sound more like treaty language:

With that definition and the U.S. asymmetrical vulnerabilities in mind, are there successes in other forms of arms control that could be ported into cyberspace, or new ideas unique to the characteristics of cyber war that could form the basis of beneficial arms control? What are the pitfalls of bad arms control to which we should give special attention and caution when thinking about limits on cyber war? How could an international agreement limiting some aspects of cyber war be beneficial to the United States, as well as operationally feasible and adequately verifiable?

SCOPE: ESPIONAGE OR WAR?

Any potential international agreement limiting or controlling cyber war must begin with the scope of the proposal. In other words: What is covered and what is out? The definition of cyber war I used above does not include cyber espionage. Hacking your way in to spy, to collect information, does not add or alter data, nor does it need to damage or disrupt the network or things that the network controls in physical space, if it’s done well.

The Russian cyber arms control proposal, however, is sweeping
in its scope and would prohibit something that the Russian Federation is doing every day, spying through hacking. The chief public advocate of the Russian proposal, Vladislav Sherstyuk, had a career of managing hackers. As Director of FAPSI, General Sherstyuk was the direct counterpart to the U.S. Director of the National Security Agency. His career background does not
necessarily
mean that General Sherstyuk is now being disingenuous when he advocates an international regime to prohibit what he has directed his agency to do for years. The technical differences between cyber espionage and destructive cyber war are so narrow, perhaps General Sherstyuk thinks that a distinction between the two cannot effectively be made. Or perhaps he has had a change of heart. Perhaps he believes that cyber espionage is something that now puts Russia at a disadvantage. More likely, however, the general, like all who have seen cyber espionage in action, would be very reluctant to give it up.

Cyber espionage is, at one level, vastly easier than traditional espionage. It is hard to exaggerate the difficulty of recruiting a reliable spy and getting such an agent into the right place in an organization so that he or she can copy and exfiltrate a meaningful amount of valuable information. Then there is always the suspicion that the material being provided is falsified and that the spy is a double agent. The best counterintelligence procedure has always been to imagine where the opponent would want to have a spy and then give them one there. The agent passes on low-grade data and then adds some slightly falsified material that makes it useless, or worse.

As I discussed in
Your Government Failed You
, the U.S. is not particularly good at using spies or, as the Americans like to call it, human intelligence (often shortened to HUMINT). The reasons have to do with the difficulty of the task, our reluctance to trust some kinds of people who might make good spies, the reticence of many Americans to become deep-cover agents, and the ability of other nations to detect our attempts at spying. These conditions are
deeply seated and cultural, have been true for sixty years or more, and are unlikely to change.

What we are remarkably good at is electronic spying. In fact, our abilities in cyber espionage often make up for our inabilities in the area of HUMINT. Thus, one could argue that forcing the U.S. to give up cyber espionage would significantly reduce our intelligence-collection capability, and that such a ban would possibly put us at a greater disadvantage than it would some other nations.

The idea of limiting cyber espionage requires us to question what is wrong with doing it, to ask what problem is such a ban intended to solve. Although Henry Stimson, Secretary of State under President Herbert Hoover, did stop some espionage on the grounds that “gentlemen do not read each other’s mail,” most U.S. Presidents have found intelligence gathering essential to their conduct of national security. Knowledge is power. Espionage is about getting knowledge. Nations have been engaging in espionage at least since biblical times. Knowing what another nation’s capabilities are and having a view into what they are doing behind closed doors usually contributes to stability. Wild claims about an opponent can lead to tensions and arms races. Spying can sometimes calm such fears, as when in 1960 there was discussion of a “missile gap,” that is, that the Soviets’ missile inventory greatly exceeded our own. Our early spy satellites ended that concern. Espionage can also sometimes prevent surprises and the need to be ready, on a hair trigger, in constant expectation of certain kinds of surprises. Yet there are some fundamental differences between cyber espionage and traditional spying that we may want to consider.

During the Cold War, the United States and the Soviet Union each spent billions spying on each other. We worked hard, as did the Soviets, to recruit spies within sensitive ministries in order to learn about intentions, capabilities, and weaknesses. Sometimes we
succeeded and reaped huge benefits. More often than not, we failed. Those failures sometimes came with damaging consequences.

In the late 1960s, U.S. espionage efforts against North Korea almost led to combat twice. The U.S. Navy electronic espionage ship
Pueblo
was seized, along with its eighty-two crew members, by the North Korean Navy in January 1968. For eleven months, until the crew was released, militaries on the Korean Peninsula were on high alert, fearing a shooting war. Five months after the crew’s release, a U.S. Air Force EC-121 electronic espionage aircraft was shot down off the North Korean coast, killing all thirty-one Americans on board (interestingly, on the birthday of North Korean leader Kim Il-sung). The U.S. President, Richard Nixon, considered bombing in response, but with the U.S. Army tied down in Vietnam, he held his fire, lest the incident escalate into a second U.S. war in Asia.

Seven months later, a U.S. Navy submarine was allegedly operating inside the territorial waters of the Soviet Union when the ship collided underwater with a Red Navy submarine. Six years later Seymour Hersh reported, “The American submarine, the USS
Gato
, was on a highly classified reconnaissance mission as part of what the Navy called the Holystone program when she and the Soviet submarine collided fifteen to twenty-five miles off the entrance to the White Sea.” According to Peter Sasgen’s excellent
Stalking the Bear
, “Operation Holystone was a series of missions carried out during the Cold War [that] encompassed everything from recording the acoustic signatures of individual Soviet submarines to collecting electronic communications to videotaping weapon tests.” Both these incidents of spying gone wrong could have brought us into very real and dangerous conflict.

In early 1992, I was an Assistant Secretary of State, and my boss, Secretary of State James A. Baker III, was engaged in delicate negotiations with Russia about arms control and the end of the Cold
War. Baker believed he was succeeding in overcoming the feelings of defeat and paranoia in the leadership circles and the military elites in Moscow. He sought to assuage fears that we would take advantage of the collapse of the Soviet Union. Then, on February 11, the USS
Baton Rouge
, a nuclear submarine, collided not far off the coast from Severomorsk with the Red Banner Fleet’s
Kostroma
, a Sierra-class submarine. The Russians, outraged, charged that the U.S. submarine had been collecting intelligence inside the legal limit of their territory.

I recall how furious Baker was as he demanded to know who in the State Department had approved the
Baton Rouge
’s mission and what possible value it could have compared to the damage that could be done by its discovery. Baker urgently embarked on a diplomatic repair mission, promising his embarrassed counterpart, Eduard Shevardnadze, that any future such U.S. operations would be canceled. The USS
Baton Rouge
, badly damaged, made it back to port, where it was, shortly after, struck from the fleet and decommissioned. Those in Moscow who had been preaching that America was hoodwinking them had their proof. The distrust Baker sought to end only grew instead.

As we think of cyber espionage, we should not just think of it as a new intercept method. Cyber espionage is in many ways easier, cheaper, more successful, and has fewer consequences than traditional espionage. That may mean that more countries will spy on each other, and do more of it than they otherwise would.

Prior to cyber espionage, there were physical limits to how much information a spy could steal and, thus, in some areas there were partial constraints on the extent of the damage he could do. The case of the F-35 fighter (mentioned briefly above, in chapter 5) demonstrates how when the quantitative aspect of espionage changes so much with the introduction of the cyber dimension, it does not just add a new technique. Rather, the speed, volume, and global reach
of cyber activities make cyber espionage fundamentally and qualitatively different from what has gone before. Let’s look at the F-35 incident again to see why.

The F-35 is a fifth-generation fighter plane being developed by Lockheed Martin. The F-35 is meant to meet the needs of the Navy, Air Force, and Marines in the twenty-first century for an air-to-ground striker, replacing the aging fleet of F-16s and F-18s. The F-35’s biggest advancement over the fourth-generation aircraft will be in its electronic warfare and smart weapons capabilities. With a smaller payload than its predecessors, the F-35 was designed around a “one shot, one kill” mode of warfare that depends on advanced targeting systems. Between the Air Force, Navy, and Marines, the U.S. military has ordered nearly 2,500 of these planes, at a cost of over $300 billion. NATO nations have also ordered the aircraft. The F-35 would provide dominance over any potential adversary for the next three decades. That dominance could be challenged if our enemies could find a way to hack it.

In April 2009, someone broke into data storage systems and downloaded terabytes’ worth of information related to the development of the F-35. The information they stole was related to the design of the aircraft and to its electronics systems, although what exactly was stolen may never be known because the hackers covered their tracks by encrypting the stolen information before exporting it. According to Pentagon officials, the most sensitive information on the program could not have been accessed because it was allegedly air-gapped from the network. With a high degree of certainty, these officials believe that the intrusion can be traced back to an IP address in China and that the signature of the attack implicates Chinese government involvement. This was not the first time the F-35 program had been successfully hacked. The theft of the F-35 data started in 2007 and continued through 2009. The reported theft was “several” terabytes of information. For simplicity’s sake,
let’s assume it was just one terabyte. So, how much did they steal? The equivalent of ten copies of the
Encyclopaedia Britannica
, all 32 volumes and 44 million words, ten times over.

If a Cold War spy wanted to move that much information out of a secret, classified facility, he would have needed a small moving van and a forklift. He also would have risked getting caught or killed. Robert Hanssen, the FBI employee who spied for the Soviets, and then the Russians, starting in the 1980s, never revealed anywhere near that much material in over two decades. He secreted documents out of FBI headquarters, wrapped them in plastic bags, and left them in dead drops in parks near his home in Virginia. In all, Hanssen’s betrayal amounted to no more than a few hundred pages of documents.