Part 4 of a series on U.S. cybersecurity. Part 1. Part 2. Part 3.
I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones.
The age of cyberwarfare is finally upon us. This transformation is irreversible; former Defense Secretary Chuck Hagel notes that “cyber[space] will be part of all future conflicts.” The difference between this and previous military transformations is that civilians are more likely to be caught in the crossfire, if not intentionally targeted. Faced with this new landscape, the United States must adapt quickly to take advantage of the opportunities cyberwarfare creates and mitigate the risks it accompanies.
There is some good news: cyber is not as easily accessible as the public may believe. Although some reports practically obsess over the ability of non-state actors to interfere with existing inter-state operations. The kind of massive, coordinated, and robust attacks that military planners most need to fear will continue to come primarily from state actors. As Peter Singer and Allan Friedman noted in Wired magazine, “Red Bull gives you wings, but not the instant expertise to attack at an advanced level. Stuxnet’s creation required everything from intelligence analysis and collection to advanced knowledge of engineering and nuclear physics.” This is not merely theoretical. Despite the continued existence of criminal hacking enterprises, the ability of Stuxnet to act as a blueprint for future attacks, and the supposed start of the cyberwarfare era, no major attacks have been observed from either state or non-state actors. Nations are likely holding their weapons in reserve for the day they are most needed, but this does not explain the lack of third party attacks. As Wired journalist Kim Zetter notes, “They’re going after the easy targets…The average hackers just don’t have any interest in this.” This may change in the future, but for now, cybercriminals appear content to troll for credit cards and bank PIN’s rather than graduate to holding city power grids hostage.
While it is likely that many nations will attempt to build a cyber arsenal, the high costs associated with a comprehensive program will prevent many nations from making cyberweapons a mainstay of military strategy. Comparatively, few nations have the human capital to support such a program. The U.S. National Security Agency employs an army of mathematicians, programmers, cryptographers, and engineers, a pool of intellect that is simply not available to many nations. According to Harvey Davis, “[the] NSA is said to be the largest employer of mathematicians in the United States and perhaps the world.” In addition, depending on the attack, cyberweapons can require substantial supporting intelligence; Stuxnet, for example, required advanced knowledge of the Iranian nuclear plant at Natanz. The group of nations with intelligence services sophisticated enough to consistently gather intelligence on another nation’s most important systems is fairly small. Next, there is the large financial cost. The United States will spend $5.1 billion on developing its cyberwarfare capabilities in 2015, more than the entire military budgets of all but 38 other nations. This number likely does not include the costs associated with intelligence gathering. The final straw for many nations will be cyberweapons’ high risk of obsolescence. Many nations will balk at the idea of investing millions in an attack, only for a patch from Microsoft to render years of work a moot point. Cyberattacks represent a risky and inconsistent investment for many states, who may find more value investing in tested and traditional weapons programs, or programs with lower risk and higher payoff, like chemical, biological, or nuclear programs. This will be a critical advantage for the United States. As one of the few nations with a comprehensive cyberwarfare program, it will be able to strike previously inaccessible targets and increase pressure on rogue states.
However, the lack of overwhelming force in cyberspace will not stop many states from becoming significant actors. And while sophisticated attacks like Stuxnet may remain uncommon outside of the most powerful actors, even a comparatively ham-fisted attack could deal great damage. The nations that will be most competent at cyberwarfare (i.e. those who have made the greatest investment in science and technology) are also those nations with the most to lose. Power, water, and communications networks all represent incredibly important and hard-to-defend targets that are often controlled by multiple private sector entities. Particularly given their relative anonymity, cyberweapons could be used to punish a nation for failure to cooperate with demands, or as retaliation for an attack.
The greatest risk for the United States lies in regional powers and rogue states. Most of the strongest actors are either U.S. allies (e.g. Britain) or are economically co-dependent on the U.S. (e.g. China), with the only partial exception being Russia. Regional powers and rogue states, like Iran and North Korea, will be the biggest challenge for U.S. policy makers. These powers will be more effectively able to coerce neighbors, deter assault, and influence diplomacy. Worse, any action the United States contemplates against a state with a known cyberweapons program will force the U.S. to factor in the risk of a retaliatory strike against U.S. allies or the U.S. mainland. Counteracting these effects will require building extensive intelligence networks and cooperating with American firms (something the NSA is currently undermining) in order to successfully attribute an attack and respond. Alternatively, the U.S. must be prepared to step up covert retaliation, whether traditional or cyber. The covert solution, however, comes with a myriad of problems. First, if discovered, it would undermine U.S. legitimacy among allies and international institutions. Second, discovery raises the probability of a covert war with the target nation or an unintentional escalation. Finally, covert retaliation will require U.S. policy makers to devise an attack which can be attributed to the U.S. (after all, retaliation requires the target to know who hit him) but which is not so obvious that the U.S. is blamed internationally.
The United States itself must be conservative with its use of cyberweapons; every attack increases the odds that cyberweapons will be used more frequently in the future. Each use of cyberweapons further legitimizes their use. Every successful cyberweapon will encourage more nations to pursue the technology, in turn increasing the probability of cyberattacks. The US must be careful not to take free license in retaliation; any attack could potentially be an attempt at framing another nation to inflame tensions. Furthermore, every cyberattack also acts as an instruction manual for the target nation; it is the digital equivalent of dropping a bomb and mailing your enemy the blueprints for the bomb, plus the plane that dropped it. This is because of the nature of software; unless a cyberweapon manages to completely erase all of its footprints (a generally unlikely occurrence), it will leave traces of itself (or all of itself) for researchers to reverse engineer. This phenomenon has already been observed in Iran: the U.S. government blames Iran for an attack on Saudi Aramco, Saudi Arabia’s national oil company. That same attack is believed to be a copycat of an attack on the Iranian Oil Ministry and National Iranian Oil Company, which itself likely originated in the U.S. or Israel.
One of cyberwarfare’s most dangerous features is its ability to lower the threshold of will required to initiate an attack. With no risk to personnel and a chance at never being identified, nations will increasingly seek to use cyberweapons in situations where, in the past, they would have chosen nonviolent action. In order to avoid being patched into obsolescence, the short half-life of these weapons will encourage nations to use them sooner rather than later,. Just as drones lowered the threshold for going to war and made it easier to continue wars, cyberweapons tempt nations with the chance at getting off scot-free. For example, last year, North Korea allegedly attacked Sony Pictures in retaliation for producing the film The Interview. Although publishing embarrassing emails between Sony executives hardly qualifies as full blown cyberwarfare, the incident is indicative of how a nation that would previously have had no rational recourse could now project power with few repercussions. Although the U.S. issued fresh sanctions against North Korea and possibly shut down DPRK internet for a short period of time, the Sony hack achieved its likely goal: while screenings of The Interview went forward (although in fewer theaters), Sony Pictures scrapped plans for another movie about the Hermit Kingdom.
To be prepared for war is one of the most effective means of preserving peace.
Avoiding escalation to physical warfare will depend upon establishing an effective threshold of retaliation. Too high a threshold and a nation will subject itself to small-scale attacks with no recourse; too low a threshold and that nation risks antagonizing other actors and escalating the situation. Cyberwarfare brings a significant change to this traditional calculation: unlike in conventional warfare, cyberweapons can deal a low level of damage for a long time, or may not be discovered or attributed until years after the fact. Even large attacks can be spread out over a long period of time, as Stuxnet was, confusing policy wonks as to the appropriate response. On the other hand, nations can launch thousands of small attacks, none of which individually would justify a response, but taken together reflect a major attack. China, for instance, has undertaken a years-long campaign of computer network exploitation (CNE) against U.S. infrastructure, corporations, and military installations in an attempt to gather intelligence and steal intellectual property for economic gain. While these attacks probably do not qualify as cyberwarfare (CNE generally falls into a lesser category), they nonetheless represent billions of dollars of economic loss for the United States. The response to this problem is telling. The American government initially focused on resolving cyber-theft issues diplomatically; more recently, it has resorted to directly indicting Chinese military officials. This has resulted in little but a resentful China. Neither side appears prepared to back down; the situation will continue to escalate until China experiences a high enough cost to offset the economic benefit of CNE, or until some agreement is brokered.
Maintaining a credible threshold of retaliation requires establishing a record of adhering to that threshold. As of now, and likely for years to come, no one has such a record; policy planners will need to anticipate that offensive cyber operations will be a more frequent occurrence until such a record is established. Unfortunately, retaliating against cyberattacks is a complex proposition. The principle of proportional response leads to the assumption that often the rational response to a cyberattack is another cyberattack. But in order to establish deterrence with a retaliatory strike, the target must know they are being struck, and by whom. This eliminates many of the greatest benefits of cyberwarfare, including the ability to strike over a long period of time, the ability to strike a target without the target immediate detection, and the ability to avoid the attribution of an attack.
Establishing such a threshold should be critical policy objective for the United States. This should begin in China. The Obama administration waited far too long to address the issue of CNE with the Chinese government. Likely viewing such low-level attacks as more of a free-trade or intellectual property issue, the administration put off angering the Chinese government to deal with supposedly bigger issues. In the meantime, the U.S. established some of the first norms in international cyber operations. Rather than nipping the CNE issue in the bud by addressing it early on, the Chinese cyber operation was allowed to become massive, stealing billions from U.S. companies every year. Now, the U.S. must take increasingly drastic measures to change the norm it allowed China to establish. A plausible next step may involve rolling discussions on CNE into trade talks with China. For example, China is interested in joining the American-led Trans-Pacific Partnership, a free-trade scheme currently being discussed between nations in the Asia-Pacific region, excluding China.
However, with nations like Iran, a direct approach may prove more pragmatic. For example, while the U.S. has not presented convincing evidence of Iran’s guilt in the case of the Saudi Aramco attack, which took place before Iran came back to the nuclear negotiating table, if intelligence was convinced of Iran’s role at the time, this would have been a prime opportunity for the U.S. to make a covert response. Such a response would have been doubly beneficial. First, the U.S. would be making it clear to Iranian leadership that cyberattacks would not be tolerated, discouraging Iran from using cyberwarfare in all but the most enticing of circumstances. Second, even in the case of a covert operation, the U.S. would be better able to discourage the leadership of regional victims (in this case, Saudi Arabia) from launching their own attacks, which may not be as sophisticated and effectively targeted as an American weapon. While it does not appear that Saudi Arabia made any such response, as cyberwarfare programs become more widespread, such a risk will grow.
Cry ‘Havoc,’ and let slip the dogs of war
Due to the ability of cyberweapons to act as blueprints for the enemy, the U.S. should reserve such strikes only for the most valuable and hard-to-reach targets, such as an underground nuclear enrichment facility. This may make it difficult for the U.S. to launch retaliatory cyberattacks, but it is the price that must be paid for preventing (or at least delaying) the deployment of cyberweapons against the U.S. civilian population. The U.S. must draw a red line at domestic civilian infrastructure so bright that no nation dare cross it; to attack other nations’ civilian infrastructure would prove hypocritical.
Cyberspace is an untested area, and one unlike any we have previously encountered. There will almost certainly be mistakes made when cyber policies are drafted. But the U.S. cannot afford to sit back and watch as other nations define the norms which will govern cyberspace for decades to come. Getting out in front of this issue now means the U.S. will gain a strategic lead while reducing the risk to itself. That means taking a very limited view of what targets are viable candidates for a cyberattack. It also means that the U.S. must be willing to take what may seem drastic action against states that refuse to limit their cyber operations, or risk establishing norms that will haunt us for the rest of the 21st century.
Featured image credit: techrepublic.com
Author’s note: Many of the claims made in this article cannot be fully substantiated with evidence for the simple reason that cyberweapons are too new for anyone to know for certain where they are going. Unless otherwise cited, the views expressed in this article are my own, and are subject to change given new evidence.
Acknowledgements: Much of the basis for this article, particularly regarding Stuxnet, comes from Countdown to Zero Day by Kim Zetter, as well as an author interview with Ms. Zetter in February 2015. Kim Zetter’s work inspired and paved the way for this article. I am also particularly indebted to this RAND Corporation analysis for several key ideas; I have tried to cite the RAND study whenever I use or expand on their ideas.
Image source: Wikimedia Foundation