It's Time to Get Ready for Cyberwar
Military and national security operations in cyberspace have made headlines with increasing frequency.
· Security companies for several years have documented massive cyber-espionage by China’s People’s Liberation Army against the U.S. private and public sectors, and the U.S. Department of Justice recently responded by indicting five Chinese military officer for computer hacking, economic espionage, and other offenses directed at American nuclear power, metals and solar products companies.
· Edward Snowden’s allegations of massive cyber spying by the National Security Agency and close American allies have raised worldwide fears about the security and privacy of the Internet.
· Russia and Iran have been accused of launching covert cyber operations against political and economic targets in the United States and neighboring countries. According to recent reports, it now appears Russian hackers attempted to place a “digital bomb” inside the NASDAQ stock exchange.
Fears are growing that, in an echo of the outbreak of World War I a century ago, some cyber event—the equivalent of the Serbian gunman’s assassination of the Austro-Hungarian Grand Duke in Sarajevo—could escalate into an outright cyberwar with dire consequences around the world. This article assesses whether these fears are well grounded by looking at cyber skirmishing that has been reported to date, what these incidents mean, how they might escalate, and how private-sector, not-for-profit, and government organizations can prepare for this contingency.
What Does “Cyberwar” Mean?
Nineteenth-century military theorist Carl von Clausewitz noted, “War is a mere continuation of policy by other means.” In the 21st century, nation-states and a host of private actors are using cyber exploits as a means of attaining policy goals, which often include stealing sensitive corporate data, disrupting information technology systems (IT) and other critical infrastructure, and reconnoitering the cyber networks of potential military adversaries. In the same way that patrolling gunboats in disputed waters or foot soldiers along ill-defined borders risked sparking conflict in Clausewitz’s time, today’s aggressive use of cyber tools has led to diplomatic sparring, skirmishes, and the threat of escalation.
When I say “cyberwar,” I do so with a Clausewitzian meaning: the use of computers by actors controlled by a nation state for a prolonged, cross-sector disruption of an adversary’s activities, especially deliberate attacks on IT systems. This definition excludes minor acts of cyber vandalism such as sporadic defacements of websites and distributed denial of service (DDOS) attacks, and also—since espionage per se is not traditionally considered an act of war—the clandestine collection of information from IT systems.
Limiting the definition of cyberwar is important because of the lack of a broadly accepted definition, such as an international treaty or established set of norms that provides guidance. But at the same time it’s challenging because definitions can’t cover every contingency and are of limited use in gray areas. Consider a cyberattack that causes a financial market crash but, because it does not directly harm people or the infrastructure necessary for preserving life and health, doesn’t meet criteria for a conventional act of war.
Reflecting these challenges, international organizations and nation states have taken different and often ambiguous steps to try to define doctrine for their own approach to cyberwar:
A recently published NATO manual on the applicability of international law to cyberwarfare does not explicitly define the term, although it does distinguish between “cyberwarfare” and “cyber operations,” and defines “cyber weapons” as those that can destroy objects and injure or kill people. A NATO official has said that “a cyber attack [on one member] could be treated as the equivalent of an armed attack,” but the nature of the Alliance’s response “will be decided by allies on a case-by-case basis.”
President Obama in 2013 issued a classified Presidential Policy Directive that authorizes military and intelligence services to identify potential overseas targets for U.S. cyberattacks, according to The Guardian. The document authorizes military commanders to launch cyberattacks to respond to the threat of an imminent attack or an emergency situation.
The Israeli Defense Forces say their doctrine handles “cyberspace … similarly to other battlefields on ground, at sea, in the air and in space.” Israel acknowledges that it engages “in cyber activity consistently and relentlessly, gathering intelligence and defending its own cyberspace” and is prepared to use cyberspace “if necessary … to execute attacks and intelligence operations.”
China’s military doctrine has been relatively explicit for more than a decade, according to an article in Military Review. Recognizing “informationized arms ... [as] as carrier of strategies” whose “basic purpose is to seize and maintain information dominance,” Chinese military theorists have advocated the use of cyber weapons for deceiving the enemy or applying psychological pressure on adversaries.
Russian operations in this area reflect a somewhat different doctrinal grounding. Russian definitions of “information warfare” or “information operations” avoid the term “cyber,” although some, like the Chinese do use “informatization.” This may reflect a preference for establishing control of networks in order both to feed disinformation to adversaries and to provide “information support for the state policy of the Russian Federation”—i.e., control internal and external messaging on issues of importance to Moscow.
Recent Cyber Skirmishes
Academic experts have noted that intelligence and military services use cyber exploits to conduct the sort of sensitive tasks that, until recently, were carried out by human spies, commandos, or missiles. Two examples indicate how such actions can disrupt military and economic infrastructure as effectively as kinetic strikes.
· In the run-up to the Russia-Georgia border war in 2007, Russian-controlled or affiliated hackers clandestinely penetrated Georgia’s Internet infrastructure to deploy an array of botnets, DDOS attacks, logic bombs, and other cyber exploits. Once the shooting war started, the cyber weapons disabled the Tbilisi government and paralyzed Georgia’s national banking system—leading to a de facto financial quarantine as international banks and other payments processors feared cyber infection.
· The United States and Israel designed the Stuxnet computer worm and remotely introduced it into industrial control systems that were critical to the country’s nuclear program. The subversion of these systems seriously disrupted the targeted program. Internal Obama administration estimates say the effort was set back by 18 months to two years.
Cyber tools can make espionage appear so pervasive and efficient that it creates a climate of insecurity and public demands for a muscular response. A Chinese military unit has allegedly carried out cyber espionage operations against at least 141 companies in the United States and elsewhere since 2006, making off with hundreds of terabytes of data, according to a 2013 study published by the computer security firm Mandiant. All members of this unit are located in Shanghai, and there apparently have been no direct, face-to-face meetings with human collaborators in the targeted companies. Extensive media coverage of this report and other allegations of rampant Chinese cyber espionage have probably played a role in U.S. officials’ decision to indict Chinese military intelligence officers for cyber espionage and have also fueled calls for Washington to engage in offensive cyber operations and take other stiff measures.
And what about cyber privateers? Hacker groups with ambiguous relationships to national governments often play an important role in cyber skirmishes. They provide plausible deniability for a nation state’s cyber operations, akin to the Soviet and U.S. use of guerrilla groups as proxies during the Cold War.
· Russian cyber operations against Ukraine this year, Georgia in 2008, and Estonia in 2007 appear to have been carried out for the most part by criminal groups and other hackers with no overt links to the Russian Government—although Kiev, Tbilisi, Tallinn, and independent security researchers have charged that such links existed.
· U.S. officials claim that hackers acting at the Iranian Government’s behest in 2012 attacked the websites and communications networks of the energy giant Saudi ARAMCO, in the same way that Tehran has used purportedly independent hacker groups to infiltrate and disrupt political opposition groups’ websites.
· China has reportedly tolerated, if not encouraged, “patriotic hackers” who have disrupted and defaced the websites of U.S., Japanese, and other organizations at times of diplomatic tension.
How Cyberwar Could Happen
The pace and stakes of cyber skirmishing are on the rise, reducing the margin of error and increasing the chance that misunderstanding or miscalculation by one or more nation states could escalate these skirmish into cyberwar.
Scenario 1: Hackers Unbound
The likeliest scenario for an escalation to cyberwar starts with hackers. Because of the uncertain control that intelligence and military services often have over such groups, hackers could exceed the desires of the government they’re affiliated with – for instance, by destroying data rather than merely defacing a public-facing website or by introducing malware that spreads beyond the target’s IT system.
Even actions by independent hackers could set off escalation. Attribution for cyber exploits is hard in the best of circumstances, and nation states’ use of proxy hacker groups could lead some targets to see a government hand behind an action lacking affiliation with an intelligence or military service. Assignment of attribution may get even more difficult as the hacking kits increasingly available online make it easier for private citizens, or for smaller and poorer states, to carry out fast and sophisticated attacks. In these conditions, for example, an attack on Chinese organizations’ IT systems by hackers protesting the treatment of ethnic minorities, or on Russian oil companies’ networks by a group concerned about environmental issues, could be viewed as a proxy for hostile actions by a Western government leading to a spiral of retaliation.
Moreover, an escalation of cyber skirmishes caused by hacker exploits could occur with little warning. Companies and other third parties probably would have no visibility into hacker group operations or the likelihood that these would spark retaliation from the target.
Scenario 2: Clash of the Titans
In this scenario, cyber skirmishes escalate into cyberwar as a complement to conventional military action, as apparently happened in the Russia-Georgia conflict in 2008. Alternatively, cyber weapons could be against military targets instead of kinetic strikes. A country facing the prospect of an adversary’s military deployment along a disputed border could use cyber tools to disrupt the IT systems that modern armed forces use for communications and logistical support leading the targeted country to retaliate.
This type of scenario probably would be preceded by warning signs, such as media reports of military movements and increasingly heated rhetoric between the two states. However, the nature and extent of disrupted IT systems would be hard to anticipate, and a spread of military malware beyond its intended targets—or its capture and re-use by other parties—could compound damages.
Scenario 3: Corporate Guns of August
As corporate IT systems suffer accelerated intellectual property theft and disruptions from cyber intrusions, some companies could launch their own cyber counteroffensives. Tactics for retaliation could range from placing “honeypots” with deliberately falsified data on corporate networks to disrupting the networks of suspected attackers.
This type of freebooting retaliation could quickly escalate. Acting against the perpetrators of the massive Chinese cyber espionage operation identified in Mandiant’s report, for example, would mean attacking a unit of Beijing’s military. And targeting an apparently private corporation—much less a group of “patriotic hackers”—could be just as dangerous because of the close ties between companies and national governments in countries like China and Russia.
The country being targeted by a corporation’s private retaliation for cyber intrusions may also see such action as a proxy for the security or military services of the corporation’s home country, leading to a broader and more damaging spiral of escalation.
The cyber apocalypse is not here yet, but might be tomorrow.
Under current circumstances the effects of a cyberwar on most organizations are more likely to be disruptive than apocalyptic for two main reasons. First, although cyber exploits can immobilize functions that are critical to the operations of companies and regions for hours and maybe days, modern cyber architectures tend to have enough built-in redundancy and resiliency to preclude a cataclysmic crash of all critical systems simultaneously, on a national scale, and for an extended period.
Moreover, the actors who currently have the greatest capability to use cybertools to inflict broad, systemic damage on their adversaries are the well-resourced nation states who are most likely to calibrate their targeting carefully and whose economies are intertwined by growing IT and other links. (See James Lewis’s article “In Defense of Stuxnet”) For example, if China or the United States were to try to immobilize the entire economy of an adversary, they would open a serious risk of a cyber or kinetic counter-attack aimed at inflicting the same kind of damage — a situation loosely analogous to the ‘mutually assured destruction’ doctrine that helped restrain nuclear saber-rattling during the Cold War.
This balance is likely to change over time, though. On the “demand” side, there is a growing gray market in hacking tools that is likely to make more powerful exploits—directed, for example, against industrial control systems—more available to governments of smaller nations and even non-state groups that would have less to lose in a cyber exchange than a major power. On the “supply” side, the number of potential targets of cyber weaponry is growing exponentially as the Internet of Things increases linkages and devices that cyberweapons can target. The consulting firm Gartner projects that 26 billion devices—not counting personal computers, tablets, and smartphones—will be connected to the IoT by 2020, representing a nearly 30-fold increase since 2009.
The accelerating globalization of many organization’ operations will also leave them increasingly vulnerable to disruption from cyberwar, even if it does not involve their home government. Businesses rely on research-and-development and production processes that are based in third-world countries. These important sources of innovation and revenue could be cut off, at least temporarily, by the deployment of cyber weapons. Cyberwar operations could also disrupt supply chains and support services. Tensions between China and its neighbors, for example, could disrupt call center operations in the Philippines or the manufacture of specialty parts for global supply chains in Vietnam.
Even now, when cyberwar is less likely to have apocalyptic consequences, it could disrupt companies’ operations across much of the economy. Industries most closely tied to military capabilities probably would quickly become the front lines of such a conflict: the defense industrial base, airlines, energy companies, pharmaceutical manufacturers and healthcare providers, commercial Internet service providers and telecommunications firms that serve military and other government operations, and utilities that supply power and water to government facilities.
Business, nonprofit, and government leaders should also anticipate significant indirect effects. Companies across the industry spectrum and across the globe would likely be at risk of damage from malware or a massive DDOS attack that a cybercombatant had introduced into their business eco-systems via customers, suppliers, perhaps even employees’ personal contacts and electronic devices that had been connected to corporate networks.
Organizations Need to Prepare for the Worst
A cyberwar—like any war—is an outcome no one wants. But, given the ready availability and growing power of cyberweapons, the plethora of potential military targets on IT networks, and the many points of friction between competing nation states, this is an outcome we could all soon face with little or no warning. Organizations of all kinds need to be able to protect key assets if cyberwar comes, or they will risk becoming collateral damage.
There should be no doubt as to who is responsible for an organization’s response to a possible cyberwar or other security challenges. Although cybersecurity programs are typically executed by a Chief Information Officer (CIO), Chief Information Security Officer (CISO), or Chief Security Officer (CSO), the entire leadership team must be committed to cyber preparedness. Beyond enhancing resiliency, this type of preparation will build a mindset that is better able to recognize current and future security risks, navigate the threat landscape in pursuit of business opportunities, and allocate security resources more effectively.
Contingency planning for cyberwar should include knowing how a potential cyber combatant looks at an organization. The cyber threat landscape—the identity of adversaries, the type of operation they might conduct, and the tools they might use—changes daily, and it's affected by where and how an organization does business, how it conducts business, and who it does business with.
Organizations need to be able to identify the most important assets to protect in the event of cyberwar. If they try to protect everything, in the end they will protect nothing. Understanding both the threat landscape and an organization’s critical assets is essential to crafting a strong and resilient contingency plan. A major component of this is to be able to know what critical assets are and who is responsible for them. Organizations also must understand the architecture of their IT networks and be able to identify applications that are not continuously monitored.
Another key element is understanding whether an organization has a secure enterprise ecosystem. Organizational assets—and vulnerabilities—are part of a global network, and a given company or government agency exercises direct control over only a portion of it. Supply chains, service providers and strategic partners, employees, and customers are all interconnected—in fact are becoming more so with the spread of the IoT—and an attack on any one of these elements could an entire organizations.
Flexible Action Plan
Contingency planning for cyberwar should be both threat-based and asset-based. That is, the choices should be predicated on informed risk assessments. Done right, an organization can continue to thrive, even in the aftermath of a cyberwar. Done wrong—or not at all—the organization may not survive.
A public-private partnership strategy should be another element of contingency planning for cyberwar. The Obama Administration, the United Kingdom, and the European Union have recently taken important steps to advance corporate cybersecurity. Developing a productive partnership between public authorities and private companies is a key element of U.S., British, and European strategies. Organizations should take advantage of the new opportunities that these and other governments’ initiatives represent and seek out the right opportunities to collaborate with the appropriate agencies. They should also recognize that information sharing is not a one-way street and be prepared to implement cyberwar contingency planning that encompasses enterprise ecosystems, industry peers, cross-industry groups, and government agencies.
In sum, informed, adaptive, and secure organizations will be best prepared for the contingency of cyberwar by focusing on three key areas:
· Prioritizing resources and protecting those items and processes that are valuable to both the organization and potential cyber combatants.
· Carrying out cybersecurity practices that will not only protect a business in the event of cyberwar, but put it ahead of the pack in the global marketplace.
· Engaging with policymakers and regulators to keep up-to-date on threat vectors and plans for responding to threats.