Fascinating article in this morning’s Wall Street Journal on how the Pentagon has concluded it can defend against, or respond to, cyber attacks with bombs. Fascinating, and typical (Kinetic rules!). Only three problems with it: the Pentagon doesn’t make these kinds of decisions, finding the perpetrator can be next to impossible, and if you bomb, the target is likely to know who’s doing the bombing. Unfortunately, cyber warfare is a vexing problem that doesn’t always favor a superpower, as I detailed in late 2009.
The next war launched by the U.S. will most likely begin quietly, without the traditional destruction of the enemy’s air-defense network. For the past generation, the U.S. has loudly announced its wars with a “shock and awe” barrage that pulverizes a foe’s radars and anti-aircraft missiles. But the coming generation will see such wars start with far less shock — but ultimately far greater awe.
That’s because an air-defense network — an array of sensors and weapons spread along a nation’s periphery and potent only so long as its separate elements can communicate with one another — is a prime target for cyber warfare. Instead of blasting radars and anti-aircraft missiles to smithereens in the war’s opening minutes, U.S. cyber warriors will simply hit their “send” keys, dispatching disabling data deep into the enemy’s computer networks. Moments later, U.S. warplanes will slip, undetected and unmolested, toward enemy targets. Down below, perplexed air-defense operators will stare blankly into computer screens gone blind, their belated commands to fire on the attacking planes lost in an electronic fog of war.
This is the face of 21st Century combat. While the Pentagon won’t talk about it — and has told its contractors involved in such efforts to keep mum — it is moving to offensive online weapons. Top officers have begun dropping hints about new, highly-classified capabilities. “If it were possible to interrupt radar systems or surface to air missile systems via cyber,” Gen. Norton Schwartz, the Air Force chief of staff, said recently, “that would be another very powerful tool in the tool kit.” You might even be able to stop a war before it begins. “What if you could so scramble the brain of the enemy so that they can’t do their command and control, and they lose their ability to wage warfare?” Lieut. Gen. William Lord, a top Air Force cyber warrior, asked a military audience in 2009.
For years, the Pentagon has spoken only of its defensive cyber efforts. Of course, the U.S.’s war-fighting machine is called the Department of Defense, so the distinction between offense and defense can sometimes seem fuzzy. But it’s the instantaneous nature of cyber attacks that has rendered defenses against them obsolete. Once an enemy finds a chink in U.S. cyber armor — and opts to exploit it — it will be too late for the U.S. to play defense (it takes 300 milliseconds for a keystroke to travel halfway around the world). There is a growing realization that the U.S. needs to be relentlessly hunting for those probing U.S. networks and taking action to ensure they don’t develop the firepower to do damage. It’s possible it’s already happening, without you — or those being targeted — any the wiser.
In fact, there’s growing concern that this capability is growing too fast and too secretly, with scant oversight and no public debate. “I have no doubt we’re doing some very profoundly sophisticated things on the attack side,” says William Owens, a retired Navy admiral and cyberwar expert who recently led a federal study on the matter. “But that is little realized by many people in Congress or the Administration.”
Yet there is a growing pile of contracts, reports and technical papers that makes clear the swirls of fiber optic cables girdling the globe is where the next war will begin. Beyond merely shutting down vital enemy systems, it entails a witch’s brew of stealth, manipulations and falsehoods designed to lure the enemy into believing he is in charge of his forces when, in fact, they have been secretly enlisted as allies of the U.S. military. It marks the first time since the dawn of the atomic age that a new family of weaponry could rewrite the rules of war. “This is going to be one of the significant new realms of conflict,” Defense Secretary Robert Gates told Air Force officers in April.
But key concepts that have regulated war forever — like deterrence and attribution — are slippery or missing in cyberspace. Boundaries don’t exist, making sovereignty moot. Asymmetries abound — defenders must defend everything, all the time, while an attacker can prevail by exploiting a lone vulnerability. A phishing e-mail or a thumb drive connected to a secure computer can compromise an entire network. Tracking down the source of cyber sabotage, routed like a skipping stone through series of innocent servers, can be all but impossible. And if you don’t know who’s attacking, how can you deter?
More critically, the U.S. relies so heavily on the Internet that any offensive actions it takes — actions that could trigger counter-punches from others — could end up hurting the U.S. more than the adversary. Lawyers still don’t know what constitutes an “act of war” on the Internet: the Soviet Union shot down Gary Powers and his U-2 spy plane over its territory in 1960, yet the reconnaissance he was physically conducting is happening — albeit virtually — among more than 100 nations, including the U.S., today. And experts are divided on whether cyber warfare would inadvertently generate extensive civilian casualties — or spare innocent blood.
A BRAVE NEW DOMAIN
Unlike the traditional ways of waging war, where the land, sea and sky can be mapped — and the laws of physics do not change — cyberspace is a manmade domain that is constantly evolving. “We invented this battle space,” declares Marine General James Cartwright, vice chairman of the Joint Chiefs of Staff and a leading uniformed proponent of expanding the U.S. military’s online clout. While the Pentagon created what became the Internet 40 years ago, it has grown far beyond its original aim of linking university researchers together. Today, it is a flood of electronic packets moving at light speed, selling anything to anyone and critical to the world’s financial, health, power, transit and water systems. Yet it remains largely unregulated. There is no cyber cop walking the beat, shining her flashlight into the Internet’s darkest corners and locking up miscreants. That openness — a big part of the Internet’s attraction — also shields troublemakers.
Bad actors, ranging from curious teen-age hackers to foreign military services, try to attack U.S. networks 30,000 times every day. U.S. experts believe only a handful of nations — among them Britain, China, France, India, Israel, Russia, South Korea, as well as the U.S. — could launch a crippling cyber strike. “A sophisticated attack against infrastructure requires planning, reconnaissance, resources and skills currently only available to these advanced cyber attackers,” a recent report from the Center for Strategic and International Studies concludes.
But building a “Maginot Line” against such strikes is doomed to fail, because the defense must always succeed while the attacker pays no penalty for repeated attacks and can keep on trying until he succeeds. That logic has pushed the U.S. military toward creating its own cyber attack capabilities, if for no other reason than to blunt attacks from potential adversaries through pre-emptive action. Dennis Blair, the nation’s spy chief, said September 15 that the U.S. has to be “very aggressive…in cyber, both protecting our own secrets and stealing those of others.”
Cartwright has made clear that the U.S. military for too long has been consumed with simply defending its networks. When he took over U.S. Strategic Command in 2004, his subordinates saw that as their lone cyber mission. “God bless the defenders, but when I came into the business at STRATCOM,” he has said, “that’s all anybody wanted to talk about — the next iteration of a firewall.”
All that is changing, starting with the recent creation of a new U.S. Cyber Command. The recently-declassified National Military Strategy for Cyberspace Operations says the Pentagon will prowl the world’s cyber networks “and shape the cyberspace environment as necessary to provide integrated offensive and defensive options.” Only offensive operations offer the ability “to gain and maintain the initiative,” the 2006 document said. A companion guidebook for cyberwar said the Joint Chiefs want the ability to destroy an enemy’s computer network “entity so badly that it cannot perform any function,” to deny a foe “from accessing and using critical information, systems, and services” and to spoof adversaries “by manipulating their perception of reality.” Just how such wizardry is to be accomplished is contained in a classified supplement.
BEHIND THE SILICON CURTAIN
“The U.S. armed forces are actively preparing to engage in cyber attacks, and may have done so in the past,” said the April study by the National Research Council that Owens helped lead. The Pentagon already has standing authority to attack computer systems threatening U.S. military operations. But to see just how much power the U.S. military wants over a potential foe’s networks, one has to pore over thousands of pages detailing the 2010 $664 billion U.S. military budget:
— The Air Force wants to “integrate capabilities developed from ongoing offensive cyber programs in the areas of gaining access to systems, performing operations in a stealthy manner, gathering intelligence from the compromised systems, and launching cyber `effects’ against the systems.”
— The Army is developing “techniques that capture and identify data traversing enemy networks for the purpose of Information Operations or otherwise countering adversary communications” and “interception and countermeasure capabilities against network traffic flows of interest.”
— The Navy wants “the acceleration of development and testing of a non-lethal, non-attributable system designed to offer non-kinetic offensive IO solutions” and adds that it has been engaged in a “multi-year series of Offensive Information Operations experiments.”
In a 2008 contract solicitation for the Air Force’s Dominant Cyber Offensive Engagement research program, the service let it be known it wants the ability to burrow into any computer system anywhere in the world “completely undetected.” It wants the ability for its computer code to lurk on potential adversaries’ networks for years, “maintaining a `low and slow’ gathering paradigm” to thwart detection. Clandestinely exploring such networks, the program would “stealthily exfiltrate information” in hopes it might “discover information with previously unknown existence.” The U.S. cyber warriors’ goal: “Complete functional capabilities” once inside an enemy’s computer network.
Such battles are already finding their way into military war games, suggesting they are ready to be used. The leader of a 2008 Air Force exercise acknowledged that one team’s aircraft, artillery and radars “are open to attack through cyber vectors.” The more crafty team infiltrated its opponents’ network, which “resulted in a near-complete failure of all processes,” a summary of the event said. “This attack created intense confusion as the victim team struggled to understand what happened. Interestingly, they did not initially assume a cyber attack.”
BEYOND THE REALM
Some cyberwar options befit a modern James Bond. The NRC report’s 14 authors — among them the nation’s leading experts on cyber warfare — labeled such techniques “hypothetical.” But they describe a quiver of cyber arrows designed to ensure a foe’s confidence in its war-fighting prowess is both shaken and stirred:
— The U.S. can slip smart chips into GPS-guided bombs allowing them to work properly against U.S. foes but that go astray when aimed at the U.S. or its allies.
— Pentagon weapons sold overseas can be outfitted with “stay alive” codes that render them inoperative if not regularly updated. Such data could “be transmitted by U.S. forces confronted with these platforms or munitions,” the NRC study said.
— A nation could taint an enemy’s target list, labeling a day care center as a munitions bunker and an historic cathedral as a troops barracks, and the embassy of a neutral nation as part of the defense ministry (this last error occurred in 1999 when a B-2 bombed the Chinese embassy in Belgrade; the U.S. blamed its use of an outdated map).
— The U.S. could assume control of a foreign factory making weapons, replacing reliable materials with those poorly-suited for war — a switch detected only after war begins.
— A cyber attack could be launched to disable an adversary’s security, thereby enabling the U.S. to implant software that monitors and transmits the key strokes of foreign leaders.
— The Pentagon — once realizing a foe had breached security and is monitoring certain actions — could feed it misinformation, confident it would be highly-trusted by the illicit recipient.
— A cyber attack that threatens a foreign leader’s financial assets could persuade him to cooperate with the U.S.
— Cyber attacks could be psychological. The NRC suggested e-mails could be sent to foes saying “your building is going to be bombed in 30 minutes, it is a good idea if you leave” or “we know where your lover’s safe house is.”
Back in the known world, the Pentagon is testing devices to launch and command cyber attacks, and is preparing to build a National Cyber Range where the U.S. military can practice launching — and defending against — such strikes. Cyber attack capabilities are so cheap — alongside conventional weapons — that their cost could be buried in the Pentagon’s everyday operational accounts (the acknowledged budget of that Air Force Dominant Cyber Offensive Engagement program is $11 million, less the U.S. military spends every 10 minutes).
The Pentagon definition of a major weapon system is one costing more than $300 million to develop or $1.8 billion to buy. “Programs for acquiring cyber attack capabilities and tools are likely to cost far less than these amounts,” the NRC report said, adding that funding for cyber attack capabilities is “deliberately obscured” in Pentagon budget documents. “A low budget profile supports low visibility,” it added. “Proponents of a given capability would prefer low visibility for programs supporting that capability, especially if the capability were controversial in nature.”
Experts are divided on how lethal cyberwar might be, and are likely to remain so until one is waged. With the Internet woven so thoroughly into modern society, are there cyber-targets that can be hit — a power grid, for example — without shutting down banks and hospitals? “Cyber-weapons could cause lasting damage, and significant loss of life, if used against such critical facilities as electric power stations, hospitals, and food processing or pharmaceutical production plants,” warned a 2008 report by the Defense Science Board. But John Arquilla, a war futurist at the Naval Postgraduate School in Monterey, Calif., dissents. “All warfare causes collateral damage,” he says. “But the more you do as cyberspace warfare, the less physical damage you will do and the more lives you will save.”
STUMBLING INTO CYBERWAR?
The U.S. has no declared policy on the use of offensive cyber weapons, despite a 2003 Pentagon study urging that it adopt one. “For the record, the U.S. government has acknowledged that it has an interest in such capabilities as a possible instrument of national policy, but this is virtually all that it acknowledges publicly,” the NRC report said. It warns that the U.S. could drift into such a conflict without clearly understanding the stakes involved. A comprehensive look at the American willingness to wage cyberwar “is rarely discussed in public,” it added. Such silence contributes to “ill-formed, undeveloped and highly uncertain” policies regarding its use.
Cartwright agrees, and has made clear there has been an element of the Keystone Kops in the Pentagon’s cyber efforts. “We had the defense, we had the guys going out and doing reconnaissance, and we had the offense,” Cartwright told cyber-wargame gathering in December. “And the reconnaissance guys would come back, knowing where the bad guys were, not tell the defense, not tell the offense; the offense would go out and start shooting and not tell the defense they were shooting.”
Waging war via electrons has happened in fits and starts over the past 20 years. In 2003, prior to invading Iraq, the U.S. was primed to shut down Baghdad’s banking system. But the Bush Administration scrapped the plan over concerns its mayhem could spread beyond Iraq’s borders to U.S. allies — and maybe the U.S. itself. But the U.S. did send pre-invasion emails to senior Iraqi officers — purportedly from fellow officers — encouraging them not to fight. Washington has deployed it against Iran in an effort to thwart its nuclear program, and to ensnare al Qaeda targets by feeding them misleading data, according to the New York Times.
The first major known uses of cyber warfare occurred in a pair of conflicts involving Russia. The first pitted Moscow against Estonia in April 2007, when unknown hackers shut down Estonia’s banking and governmental computers amid rising tensions between the two nations. In August 2008, Georgians lost access to news and money as their computer networks froze up just as war between Russia and their country erupted.
ENLISTING THE CYBER FORCE
Within days, the responsibility for waging cyber warfare will belong to a new U.S. Cyber Command. By the end of October, it’s slated to begin operations at Fort Meade, Maryland. Not coincidentally, that’s also home to the National Security Agency, which vacuums the world’s information networks seeking intelligence. In fact, the NSA commander, Army Lieut. Gen. Keith Alexander, is the most likely choice to head the new command — as well as NSA — picking up a fourth star in the process. The logic of locating the nation’s cyber warfare headquarters alongside its electronic spies is clear: NSA’s spies, by burrowing into and mapping the world’s computer networks, are basically drafting war plans for whatever offensive strikes U.S. Cyber Command might carry out.
But the U.S. military faces challenges developing the software to wage cyber war. The Pentagon is an industrial-age monolith, measuring development cycles in years instead of the weeks common in the online world. “We build an application the same way we build an aircraft carrier, and about as fast,” Cartwright recently told an Air Force audience. “We have to figure out a way to change that.” The military’s “Napoleonic command and control” system stifles innovation, he added. “The technology is not what paces us, it is the culture.”
Recruiting troops for cyberwar will be even tougher. The Pentagon says it has 90,000 cyber warriors, but that includes every uniformed IT tech. The number of true cyber warriors is far smaller. In fact, the Pentagon is currently training only 80 a year, although that will quadruple by 2011. “The service chiefs have basically been told that filling all the slots in the cyber school is their first priority,” Gates told Air Force officers in April.
Instead of donning body armor and 60-pound rucksacks, cyber warriors may well work from the comfort of home, outfitted with laptop, latte and loungewear. Rather than confronting armed foes face to face, they’ll tap at keyboards, seeking vulnerabilities on others’ networks and working with moles in foreign lands. “We’re a culture that’s used to putting a pack on our back and fixing a bayonet,” General Lord has said. “This is a different kind of warrior and a different kind of warfare.”
In fact, some believe the Pentagon’s existing structure can’t fully exploit cyberspace and are arguing for creation of new military service for the role, much as the nation created the Air Force in 1947. “The cultures of the Army, Navy, and Air Force are fundamentally incompatible with that of cyber warfare,” says Lieut. Col. Greg Conti, a professor of computer science at West Point. “These existing services operate in the kinetic arena, the directed application of physical force, whereas cyber warfare exists in the non-kinetic world of information flows, network protocols, and hardware and software vulnerabilities.” The technical expertise needed to win in cyberspace isn’t prized by the services, he argues, and only a separate service can solve that problem before it’s too late. “A major cyberwar involving the United States,” Conti says, “is inevitable.”
But others disagree. They argue that outlawing major-league cyberwars — or at least regulating them in the same way arms-control pacts have contained nuclear weapons — is a more promising path. “It’s like biological weapons,” says computer scientist Neil Rowe of the Naval Postgraduate School. He wants cyber weapons — just anthrax and botulism — banned by the international community. Cyberwar is just like “putting poision in a community’s water system,” he writes in a paper on “The Ethics of Cyberweapons in Warfare.”
Retired admiral Owens, who spent 33 years in uniform, doesn’t go that far. He’s willing to settle for what he calls “a no-first-use cyber attack treaty” between the U.S. and China, the two prime players in cyberspace. “A national cyber attack could have the same kinds of deaths and destruction as a nuclear attack,” he warns. Getting Beijing and Washington to commit to a no-first-use pledge, he says, would be a gift to future generations — “before we get so serious about it that we’re unwilling to talk about it, or to give it up.” But that, of course, assumes we didn’t cross that threshold yesterday.