The Evolution of Cyber Warfare
February 27, 2008
Introduction
In the spring of 2007, when Estonian authorities moved a monument to the Red Army from the center of its capital city, Tallinn, to the outskirts of town, a diplomatic row erupted with neighboring Russia. Estonian nationalists regard the army as occupiers and oppressors, a sentiment that dates to the long period of Soviet rule following the Second World War, when the Soviet Union absorbed all three Baltic states. Ethnic Russians, who make up about a quarter of Estonia’s 1.3 million people, were nonetheless incensed by the statue’s treatment and took to the streets in protest. Estonia later blamed Moscow for orchestrating the unrest; order was restored only after U.S. and European diplomatic interventions. But the story of the “Bronze Statue” did not end there. Days after the riots the computerized infrastructure of Estonia’s high-tech government began to fray, victimized by what experts in cybersecurity termed a coordinated “denial of service” attack. A flood of bogus requests for information from computers around the world conspired to cripple (Wired) the websites of Estonian banks, media outlets, and ministries for days. Estonia denounced the attacks as an unprovoked act of aggression from a regional foe (though experts still disagree on who perpetrated it—Moscow has denied any knowledge). Experts in cybersecurity went one step further: They called it the future of warfare.
Cyber Warfare: The New Frontier
The attack on Estonia’s “paperless government” (BBC) was one of the most publicized hacks in recent computing history. But it wasn’t the first case of cyber espionage, nor the most egregious. It’s the “tip of the iceberg of the quantity and quality of attacks that are going on,” says O. Sami Saydjari, president of the Cyber Defense Agency, a security consultant, and a former Pentagon computer security expert. Israel, India, Pakistan, and the United States have all been accused of launching similar attacks on adversaries.
China, however, may be the most active. Washington has accused the Chinese of hacking into government computer networks at the U.S. Departments of State, Commerce, and Defense—in some instances making off with data. But accusations of Chinese cyber-meddling reached a crescendo in June 2007, when, according to the Financial Times, hackers broke into a Pentagon network that serves the Office of the Secretary of Defense, briefly shutting it down. Chinese electronic espionage has also been suspected against British companies (Rolls Royce is one example), as well as government agencies in France, Germany, South Korea, and Taiwan. “Chinese capabilities in this area have evolved from defending networks from attack to offensive operations against adversary networks,” Deputy Undersecretary for Defense Richard P. Lawless told (PDF) a House committee in June 2007. China, like Russia, denies the accusations. Both countries argue any attacks originating from IP addresses inside their countries have been directed by rogue citizens, not their governments. Western targets, however, continue to accuse the Chinese of ratcheting up their cyber attack capabilities.
U.S. Cyber Warfare on the Offensive
The United States, of course, is no innocent bystander. William M. Arkin, a defense analyst who writes the Early Warning blog for the Washington Post, says “our ability to penetrate into enemy computer networks, our ability to exploit communication networks, to manipulate digital information, is real,” but little is known about the precise nature of Washington’s offensive capabilities. Some details, however, have leaked. For instance, in March 2004 the Pentagon announced the formation of an Information Operations team—the Network Attack Support Staff—to streamline the military’s cyber attack capabilities (PDF). The aim, senior military officials said at the time, was to create an “interface between the combatant commanders and the intelligence community.”
“ Our information infrastructure …increasingly is being targeted for exploitation and potentially for disruption or destruction by a growing array of state and non-state adversaries.”
–Director of National Intelligence Michael McConnell
Arkin, who has reported on cybersecurity issues for over two decades, says the U.S. military also has technologies capable of penetrating and jamming enemy networks, including the classified “Suter” system of airborne technology. According to Aviation Week, Suter has been integrated into unmanned aircraft and “allows users to invade communications networks, see what enemy sensors see, and even take over as systems administrator so sensors can be manipulated into positions so that approaching aircraft can’t be seen.” Some speculate the Israeli military used the capability during its air raid on a Syrian construction site in September 2007. The United States made use of nascent capabilities in the 1999 Kosovo War (MSNBC.com), and built on those lessons in Iraq (Wired).
Cyber-Warfare Tactics
Other cyber tactics are less sophisticated. The attack that temporarily brought down Estonian networks began with a flood of bogus messages targeting government servers, called a “denial of service” attack. The approach harnesses “botnets”—massive networks of interconnected computers—to bombard targeted networks with information requests while masking the location of the primary attacker. James Lewis, a security expert with the Center for Strategic and International Studies (CSIS), says hackers in the Estonia example likely took control of tens of thousands of computers around the world without the knowledge of their owners and directed them at the government’s servers. The result, he says, was a relatively minor attack that was nearly impossible to trace (PDF).
Another technique is the use of “malware,” “spyware,” and other malicious programs imbedded into computer systems to steal information without user knowledge. The software is designed to hide undetected and siphon information from its host—everything from secrets stored on personal computers to Pentagon military mainframes. A December 2007 analysis of U.S. Air Force cyber vulnerabilities (PDF) notes much of the Pentagon’s operating systems are off-the-shelf components manufactured overseas, due to cheaper costs. But pinching pennies has potentially opened U.S. military networks to intrusion. “Foreign countries could place hidden components inside the computers, making the computers vulnerable for attack and/or spying,” the analysis concludes.
“Our ability to penetrate into enemy computer networks, our ability to exploit communication networks, to manipulate digital information, is real.”
–Defense Analyst William M. Arkin
Less common but far more worrisome are cyber attacks aimed at critical infrastructure—like nuclear-power-plant control systems, banks, or subways. In March 2007 the Department of Energy’s Idaho Lab conducted an experiment to determine whether a power plant could be compromised by hacking alone. The result—a smoking, self-combusting diesel generator incapacitated by nothing more than keystrokes—sent shivers (CNN) through the private sector. The worries were apparently well-founded. In January 2008 a CIA analyst told U.S. utilities that hackers had succeeded in infiltrating electric companies in undisclosed locations outside the United States and, it at least one instance, shut off power to multiple cities. The hackers then demanded money (AP). “The [U.S.] government is scrambling to try and protect its own systems, to try and check the Chinese from reading government email,” says economist Scott Borg, director of the U.S. Cyber Consequences Unit, a nonprofit research institute that studies cyber threats. “But the focus probably needs to be critical infrastructure. That’s what we need to defend.”
Patching the Holes
On paper the U.S. government appears to agree. For over a decade government-sanctioned studies have delved into the subject; the Pentagon published a report on “Information Warfare-Defense” (PDF) in 1996, when public use of the Internet was still in its infancy. Saydjari says all of these studies reached the same conclusion: “The threat and vulnerabilities to our national infrastructure is serious, it’s getting worse, and it’s getting worse at an increasingly fast rate.” But only recently has the concern been a constant focus of attention for the security and intelligence communities. Part of the attention deficit lies with the difficulty in defining the cyber threat. A 2006 Air Force task force termed cyberspace “a warfighting domain bounded by the electromagnetic spectrum,” but air force officials acknowledge “a full understanding of the domain is years away.”
What is understood is how potentially devastating the loss of cyberspace dominance could be to U.S. interests. In his annual threat assessment to Congress delivered in February 2008, Director of National Intelligence Michael McConnell discussed “cyber threats” before talking about the war in Afghanistan. “Our information infrastructure …increasingly is being targeted for exploitation and potentially for disruption or destruction by a growing array of state and non-state adversaries,” McConnell said. “We assess that nations, including Russia and China, have the technical capabilities to target and disrupt” the United States’ information infrastructure.
“Chinese [cyber warfare] capabilities have evolved from defending networks from attack to offensive operations against adversary networks.”
–U.S. Deputy Under Secretary for Defense Richard P. Lawless
The Pentagon, too, has acknowledged the threat to its infrastructure. The Defense Department is considering banning nonofficial traffic (Federal Computer Week) from its servers, and the U.S. Air Force is creating a Cyber Command to defend Pentagon networks. “When we talk about the speed range and flexibility of air power, the thing that enables this for us is the fact of our cyber-dominance,” Air Force Gen. Robert Elder told United Press International.
The recent flurry of high-level pronouncements also comes amid a renewed funding commitment from Washington. In November 2007 the Bush administration called on the National Security Agency to coordinate with the Department of Homeland Security to protect government and civilian communication networks from hackers. The $144 million plan, unveiled quietly in White House budget documents (PDF), aims to enhance “civilian agency cybersecurity and strengthen defenses to combat terrorism.” In January 2008 President George W. Bush signed two presidential directives calling for the creation of a comprehensive national cybersecurity initiative. According to an article by the Wall Street Journal, the White House’s 2009 budget request takes the program exponentially further, with an estimated $6 billion request to build a secretive system to protect U.S. communications networks. Details of the proposed program remain classified, angering some civil libertarians who fear monitoring of civilian networks could infringe on privacy rights. Rep. Bennie G. Thompson (D-MS), chairman of the House Homeland Security Committee, has called for the program to be put on hold (PDF) until Congress can adequately review it.
Measuring the Threat
Cyber experts don’t dispute that electronic espionage is a vexing problem, or that the United States is a prime target. But they do disagree on how pervasive such attacks are, who is behind them, and how disruptive they may prove to be. According to a tally by the Heritage Foundation, a conservative Washington think tank, the hackers may already be winning: In 2007 the Department of Homeland Security logged an estimated 37,000 attempted breaches of private and government computer systems, and over 80,000 attacks on Pentagon systems. Some hacks “reduced the U.S. military’s operational capabilities,” the report says (PDF).
Economist Borg says the biggest threat from cyber attacks may be economic. He estimates a shutdown of electric power to any sizable region for more than ten days would stop over 70 percent of all economic activity in that region. “If you can do that with a pure cyber attack on only one critical infrastructure, why would you bother with any traditional military attack?” CSIS’ Lewis takes a less alarmist view. “The U.S. is a very big set of targets, and some of our important networks are very secure. So you could inflict damage on the U.S. but it wouldn’t be crippling or decisive,” he says. “I’ve seen people who say a cyber attack could turn the United States into a third-world nation in a matter of minutes. That’s silly. We have to be realistic about this.”
Weigh in on this issue by emailing CFR.org.
Email
In this POP, Adjunct Fellow Michelle D. Gavin suggests steps the Bush administration could take to promote political and ethnic reconciliation and to restore the viability of Kenya’s governing institutions.
In this paper, Senior Fellow Daniel Markey poses a set of recommendations for the United States to consider in response to Pakistan’s ongoing political crisis.
