ASCF Report | 8.2.12
By Alan W. Dowd
The head of the
UN agency on information technology fears “the next world war could happen in
cyberspace.” In fact, if the actions of power-projecting countries like China
and Russia—and for that matter, the United States—are any indication, that war
in cyberspace may already be underway.
To prevent cyber-skirmishes
from triggering real-world conflicts, several nations are calling on the UN to
“create norms of accepted behavior in cyberspace [and] exchange information on
national legislation and cyber-security strategies,” as The Washington Post recently reported. But given that two of the governments
calling for cyber-cooperation are Russia and China—each guilty of some of the
most egregious cyber-assaults to date—the UN’s plan for cyber-peace in our time
probably won’t deliver much.
A more likely
source of peace and security in this new frontier is developing the assets,
doctrine and resolve to deter and, if necessary, answer in kind cyberattacks.
The U.S. military and its closest
allies are doing just that. President Ronald Reagan might have called it
“cyber-peace through cyber-strength.”
A New Domain
To get a sense of how
important cyberspace is to the United States and its military, think of this
invisible domain as a part of the global commons, just like the sea, sky and
space. Indeed, Gen. Keith Alexander, commander of U.S. Cyber Command
(CYBERCOM), likens “freedom of action in cyberspace in the 21st century” to
“freedom of the seas…in the 19th century and access to air and space in the
20th century.”
That helps
explain why the Bush and Obama administrations have made cyberdefense a top
priority.
President George W. Bush, who called
cyberspace “the nervous system” of America’s critical infrastructure, launched
the Comprehensive National Cybersecurity Initiative, which committed some $30
billion to strengthening government networks. Bush also initiated a series of
readiness exercises under the Department of Homeland Security. These “Cyber
Storm” exercises test the ability of industry, government, allied partners and
the U.S. military to weather cyberattacks.
However, the Bush
administration refused to stay on the defensive in cyberspace. In 2006, Bush
authorized the so-called “Olympic Games” cyberattacks against computer systems
that run Iran’s nuclear program. The Obama administration eagerly continued the
effort, which included the now-famous Stuxnet computer worm.
Taking the baton—or mouse, as
it were—from his predecessor, President Barack Obama created a special White
House office to coordinate cybersecurity. He also stood up CYBERCOM in 2010, in
a clear sign of the Pentagon’s expanding role in this new and mysterious area
of operations. And he gave the Pentagon a green lightto treat cyberspace like any other military domain, authorizing Alexander’s
cyberwarriors to develop capabilities to “deceive, deny, disrupt, degrade and
destroy” enemy information systems. Toward that end, the Pentagon is spending
$3.4 billion this year on offensive and defensive cyber-technologies.
Obama also has pressed
lawmakers to pass the Cybersecurity Act, which is currently pending in Congress.
Although the bill has its critics, its goals are laudable: implementing cyber
response and restoration plans, exploring U.S. vulnerabilities in cyberspace,
identifying critical infrastructure, updating information-security
requirements, promoting cyber-security awareness nationwide, developing new
technologies to defend against cyberattacks, promoting cooperation across
agencies and between government and industry, and training new generations of
cybersecurity professionals.
That last item is crucial.
According to Rep. Jim Langevin, “We only have about a thousand people that can
operate at world-class levels in cyberspace. What we need is more like 20,000
or 30,000 people.”
Indeed, Gen. James Cartwright
(USMC RET) has warned that “Unlike the air, land
and sea domains, we lack dominance in cyberspace and could grow
increasingly vulnerable if we do not fundamentally change how we view this
battle-space.”
He was speaking not so much
to the military as to policymakers and the public at large. Cyberspace is a
vast, ungoverned and largely unguarded frontier that provides America’s
enemies—from anarchist hacker groups like Anonymous to terrorist syndicates
like al Qaeda to near-peer competitors like China and Russia—with access to the
nervous system that controls the U.S. economy and military.
Given the risks, U.S. military leaders recently recommended the
elevation of CYBERCOM to full combatant command status. That makes sense. But there’s more to do.
Cyber-Offense
in Action
“We have to have offensive capabilities, to, in real time, shut down somebody
trying to attack us,” according to Alexander. Perhaps some of those
capabilities were put on display with Stuxnet.
Launched sometime in 2008, Stuxnet sabotaged the computers running Iran’s
uranium-enrichment program and centrifuges. Once it found its intended target,
Stuxnet quietly ripped through Iran’s nuclear program. For 17 months, it
targeted the operating systems running the program; tricked centrifuges into
running faster than normal, then abruptly slowed them down; and corrupted the
uranium that was produced. An Institute for Science
and International Security study cited by Newsweekconcludes that Stuxnet crippled Iran’s ability to activate new centrifuges
throughout 2009; at least 1,000 centrifuges “simply broke down”; and 30,000
computers supporting Iran’s nuclear program were disabled.
Stuxnet became the first
major cyberattack “used to effect physical destruction,” as Michael Hayden,
Bush’s CIA director explained. According to Ralph Langner, an expert in
industrial computer systems, Stuxnet “was as effective as a military strike.”
He has compared Stuxnet to “the arrival of an F-35 into a World War I
battlefield.”
The good news for
Iran’s enemies is that Stuxnet set back Iran’s nuclear program several years,
perhaps delaying an Iranian bomb to 2015. The bad news, the critics warn, is
that if a cyber-smart bomb like Stuxnet
can be deployed against the nascent nuclear infrastructure of America’s
enemies, it can surely be deployed against the highly networked military and
civilian infrastructure of the United States.
While this is a real
possibility, it ignores two important realities. First, the enemy is already working
on cyber-weapons and will employ them against the U.S.—and already has—regardless
of what America’s cyberwarriors do. Second, the United States develops weapons
systems for a purpose: to defend the country and serve the national interest.
Sometimes this is achieved by the mere existence of a weapons system. But at
other times, defending the nation depends on deploying a weapons system.
To be sure, policymakers
should contemplate the broader implications of cyber-weapons like Stuxnet, but
weapons systems are about dealing with here-and-now threats. Consider President
Harry Truman’s decision to use atomic weapons against Japan. Although it opened
the door to the unthinkable during the Cold War, it served U.S. interests in
1945.
Without a Net
Speaking of the Cold War, to defend
America in the Cyber Age, policymakers should borrow a page or two from the
early days of the Atomic Age.
The atomic bomb changed the
calculus, costs and consequences of great-power conflict. So, Washington built
a military that could fight and win in an era of nukes and ICBMs; formed a web
of alliances to deter war; made it clear that the U.S. would respond with
“massive retaliation” in the event of war; and developed continuity plans to
ensure the survival of the republic. President
Dwight Eisenhower, for instance, cited
continuity, civil defense and national security in rallying support for the
interstate highway system: “In case of an atomic attack on our key cities, the
road net must permit quick evacuation of target areas, mobilization of defense
forces and maintenance of every essential economic function.”
In the same way,
Americans must forge a cyberdefense doctrine that will protect the nation’s
critical infrastructure, prepare for worst-case scenarios, deter catastrophic cyberattacks,
mitigate the effects of low-grade cyberattacks and enable the military to conduct
operations in cyberspace.
Today, as in the
Atomic Age, deterring the enemy is an important goal. As we learned during the Cold War, preparedness itself
can have a deterrent effect. Cyber Storm exercises—which enfold dozens of
private-sector firms and partner countries—send an important readiness message
to our enemies by highlighting capabilities and testing system resiliency.
Likewise, the military’s Cyber Flag exercises—named after Red Flag, which hones
the skills of fighter pilots—bring together cyber-components from each military
branch to engage in “realistic and intense simulated cyber-combat against live
opposition.”
To assist the
warfighters in their deterrence mission, it would be helpful for the
policymakers to let it be known that the U.S. will view a cyberattack on
critical infrastructure in the same way as a traditional military attack. It’s
worth noting that Russian military officials argue that “the use of information
warfare against Russia or its armed forces will categorically not be considered
a non-military phase of a conflict, whether there were casualties or not.”
Of course, deterrence doesn’t
work on most non-state actors, as 9/11 taught us. And since cyberspace provides
anonymity, even those nation-states that are deterred in the realm of B-2
bombers and M-1 tanks might be tempted to strike in the realm of code and data.
For those times when deterrence fails, the U.S. must be able and willing to go
on the offensive. Toward that end, top military planners are engaged in an
effort “to dominate the digital battlefield just like they do the traditional
battlefield,” according to one cybersecurity expert. “Plan X,” as it’s ominously called, is a DARPA research effort aimed
at creating a map of everything in cyberspace—all the billions of computers,
devices and related networks that make up this ever-growing invisible domain. “Such a map would help commanders identify
targets and disable them using computer code,” as a Washington Post report explains.
As attacks are
launched against America’s swath of cyberspace, U.S. intelligence will need to
trace and, where applicable, establish links between nation-states and
cyberattacks emanating from their territory. Even if independent actors are
responsible for a cyberattack, they still operate within a country—and
governments are obligated to police what happens within their borders. Allied
cooperation will be important in this effort. After Web War I in Estonia, NATO formed a center to help member states
“defy and successfully counter” cyberattacks. NATO
conducted Operation Locked Shields this year to test the allies’ ability to do
just that.
Finally, Washington
must explore the feasibility of developing new redundancies—or dusting off old
ones—that don’t depend on cyberspace. It pays to recall that not long ago, we
delivered essential services—we even defended a nation—without the Internet.
*Dowd is a senior fellow with the American Security Council Foundation, where he writes The Dowd Report, a monthly review of international events and their impact on U.S. national security.