By Alan W. Dowd
“How do we come to grips with the problems that modern technology and current international relations present us?” So began Herman Kahn’s landmark work on preventing—and if necessary, waging and winning—a nuclear war with the Soviet Union. “Thermonuclear war may seem unthinkable, immoral, insane, hideous or highly unlikely,” he observed in Thinking about the Unthinkable, “but it is not impossible.” And because the unthinkable was quite possible, Kahn concluded that it was his duty as a thinker and scientist to wrestle with what so many of his peers ignored or hoped would just go away. In Kahn’s view, to prevent the unthinkable, it was essential to think “about how to fight, survive and terminate a war, should it occur.”
Perhaps it was kismet, perhaps coincidence, but Kahn published these ideas amid Moscow’s reckless gambit in Cuba, which brought the world to the brink of the unthinkable. Thanks in no small part to Kahn’s willingness to contemplate the very worst, US military and political leaders steadily shifted away from the defeatism of MAD, reoriented the country’s military strategy, and won the Cold War in a relatively peaceful fashion.
What was true in the Atomic Age, when Moscow’s transcontinental empire threatened civilization with nuclear annihilation, remains true in the Information Age, as stateless bands of terrorists and a handful of dictators threaten civilization with a range of weapons. Some of these weapons aren’t really even weapons, as we learned on September 11, 2001. Some are simple and readily available, as the people of Israel and Iraq, Indonesia and India, are reminded every time a homemade bomb tears through a place of worship or commerce. Some are the offspring of the Information Age itself; they are easy to acquire, simple to use, and inexpensive. In the hands of a committed adversary, they are capable of wreaking death and destruction with the push of a button. Even now, they are being used to probe America for weaknesses and wage a new kind of war—cyber-war. After years of averting its gaze, Washington is finally taking notice.
One of the major ingredients for America’s disproportionate power in the 21st century is its mastery of new technologies and capacity—even eagerness—to incorporate them into its economy, culture, and military. Yet it is an irony befitting a Greek tragedy that the very thing that makes the United States so powerful also makes it more susceptible and vulnerable than any other nation to a crippling attack in cyber-space.
As President George W. Bush explained in a recent strategy document, “In the past few years, threats in cyberspace have risen dramatically.” It’s easy to see why: Given the amorphous, open, and ever-expanding nature of cyber-space, it is extremely difficult territory to secure and defend; and given America’s primacy in traditional fields of conflict (on the ground, at sea, in the air, and in space), cyber-space is increasingly where America’s enemies pick their fights. “Ironically, we have destroyed the war we do best,” as Michael Vlahos of the Joint Warfare Analysis Department at Johns Hopkins concludes. “No one can hope to win fighting our kind of war, so they will make war they can win.” Cyber-war may be such a war.
According to the Congressional Research Service, the Pentagon’s computer systems are attacked thousands of times each year. Some of the attacks are akin to a gnat biting an elephant, but some are more serious. In 1994, for example, the Rome Laboratory, a key node of US Air Force researchers and computer specialists, was victimized by 150 separate cyber-attacks. After tearing through the Air Force system, the cyber-terrorist (a 16-year-old Briton) also targeted NATO headquarters and Wright-Patterson AFB. In 1998, a group of hackers in California and Israel attacked a number of computer networks at US Air Force bases, universities, and businesses. A 1998 report found that hackers made 200 separate attempts to break into the computer systems at key US nuclear labs. As late as April 1999, the cyber-security situation was so grave that then-Secretary of Energy Bill Richardson ordered a system-wide shutdown for two weeks.
During the US-led NATO operation against Bosnian-Serb forces in 1995, the Serbs used computer systems to research the backgrounds of US pilots and then threaten their families. Four years later, during the air war over Kosovo and Serbia proper, teams of Chinese and Serbian hackers attacked cyber-targets of opportunity in the West. The Chinese hacked into websites run by the Departments of Energy and Interior. They defaced and effectively hijacked the sites, forcing the White House and other government sites to shut down out of self-protection. Other attacks came in the form of countless emails, which were sent to slow down and overload government servers.
The cyber-battle was not one-sided, of course. Independent Dutch and American hackers fired back early and often, and the US military employed information warfare tactics against Belgrade throughout the war. For example, as MSNBC reported in 2001, a special US-UK unit used e-mail and computer systems to conduct psychological operations against Slobodan Milosevic’s generals and friends, who had been enriched—and would be impoverished or killed—as a result of their close association with the Serbian dictator. However, no network-killing viruses were let loose against Milosevic, prompting former NATO Commander Wes Clark to dismiss the allied cyber-salvos as little more than “harassment.”
Still, this blending of cyber-war tactics into traditional war fighting will continue, and like other military innovations it promises to become more effective as technology and tactics improve. China, for example, is fielding a force of shock computer “troops” to wage war in cyber-space. Known as the “Net Force,” the unit has conducted annual training exercises ever since 1997. Some computer and defense experts have warned that China is training the force to serve as the vanguard of a conventional attack on Taiwan.
China is not alone. More than 20 nations have information warfare capabilities, among them some of America’s most bitter enemies—Cuba, North Korea, Libya, Iran, and Syria. The Indian government, for example, blames Pakistani intelligence agents for hacking into the Indian army’s main website and effectively holding it hostage ahead of talks in 1998. According to Lt. Col. Timothy Thomas of the Army’s Foreign Military Studies Office, Hezbollah has plans in place to cripple Israeli government, military, and financial networks with cyber attacks. The strategy includes attacks on e-commerce, Internet Service Providers, and the Israeli stock exchange—thus paralyzing Israel’s technology-dependent society.
Countries are neither the sole targets nor the sole practitioners of cyber-warfare: The “White Hat” computer virus, for example, devastated the Air Canada computer system in the summer of 2003. A man-made computer “worm” chewed through Lockheed Martin’s system, forcing the defense giant to shut down parts of its network in August 2003. Exactly a week after the terrorist attacks on Manhattan and Washington, the Nimda virus used the Internet to skip across the world’s interconnected web of computer networks, leaving billions of dollars in damaged systems and corrupted computers in its wake. Although the Nimda attack was overshadowed by the events of September 11, Thomas notes that cyber-security experts call it 9/11’s cyber-space equivalent. “Nimda’s creator,” Thomas adds ominously, “has never been identified.”
Together, the disparate groups, governments and individuals that create and launch these invisible weapons are taking the postmodern warfare we witnessed firsthand on September 11 to a new level: The enemy is no longer just stateless—he is nameless and faceless and place-less. The enemy is not just transnational—he is a-national, living and hiding and attacking in a world where there are no borders. The enemy is no longer virtually invisible—he is, well, virtual.
Which is one reason why critics of cyber-preparedness argue that a war waged in cyber-space, with bytes and streams of code rather than bullets and bombs, can’t really hurt us, since we live in a world of tangible elements—land and sea, flesh and blood. They’re wrong.
One doesn’t have to be a Matrix fanatic to recognize that vast stretches of “the real world” are controlled by that invisible world of cyber-space. Water-pumping and purification stations, electrical utilities, hospitals, banks, and airports simply cannot function today without computer networks. Winn Schwartau, an expert on information security and infrastructure protection, notes that cyber-terrorists have successfully attacked and disabled all of these network-dependent targets in recent years.
Americans are steadily coming to grips with this reality. Since 1999, for example, the Pentagon has assigned cyber-war preparedness to a four-star general. In 2003, Bush ordered military planners to develop guidelines for the use of cyber-weapons by US forces; the Department of Defense invested 28 percent more than in 2002 on programs aimed at attacking enemy information-warfare capabilities and defending our own; and Pentagon spending on programs to manipulate and master information technology of all kinds jumped by 125 percent.
On the offensive front, the Pentagon’s new Joint Task Force on Computer Network Operations is helping US military forces incorporate cyber-weapons into traditional war fighting. On the defensive side, the Department of Defense is updating all of its new Internet-related equipment and software to meet the latest Internet security protocols; and the Pentagon’s entire fleet of computers and networks will be switched over to the new protocols within four years.
Also in 2003, Bush released the aforementioned strategy to secure the civilian stretches of cyberspace. “The cornerstone of America’s cyberspace security strategy,” according to Bush, “is and will remain a public-private partnership…Only by acting together can we build a more secure future in cyberspace.” I observed one such effort firsthand as I wrote this piece. After clicking onto the White House website to download and read the president’s National Strategy to Secure Cyberspace, the Microsoft software grafted onto my PC’s hard drive stopped me dead in my cyber-tracks and warned me to think twice before going any further: Some files can contain viruses or otherwise be harmful to your computer, the message reminded me. It is important to be certain this file is from a trustworthy source. (Whether or not the White House is a trustworthy source is a subject for another essay, but since I am of the opinion that it is I took the risk and downloaded the document.)
This is just one small example of cross-sector cooperation in preventing, slowing, and if necessary, tracking and monitoring the spread of cyber-viruses and cyber-attacks. There are many others we never see.
For instance, the White House is calling on industry leaders to improve computer training, enhance technology safeguards, identify and remove vulnerabilities (hence, the endless flow of “patches” and automatic updates), and cooperate with one another on cyber-security. At the same time, government agencies such as the Department of Homeland Security are developing redundancies, conducting cyber-drills, building cyber-warning systems, hardening government computer networks, and developing recovery plans in the event of the unthinkable—a Pearl Harbor or 9/11 in cyber-space, a virtual attack that would have very real consequences.
As Mr. Kahn put it in an earlier age of terror, “We must appreciate these possibilities. We cannot wish them away.”