Providence | 3.7.16
By Alan Dowd
CSIS has developed a new online tool for tracking
major cyberattacks around the world. The website is as helpful as it is
Starting with the December 2015 cyberattack on Ukraine’s utility sector and working its way backwards, the
interactive site catalogues hundreds of cyberattacks, data breaches and other
malicious cyber-events dating to April 2000.
observed in one long stream of images and data, the breadth, depth and accelerating
growth of this uniquely 21st-century threat all come into focus. Large-scale
cyberattacks targeting U.S. citizens, interests and infrastructure are
happening so frequently that it’s nearly impossible to keep track of the
onslaught. The most recent of these came last summer, when China penetrated the
Office of Personnel Management and compromised the personal, financial and
employment history of 21.5 million Americans. U.S. officials describe it as
perhaps “the most devastating cyberattack in our nation’s history.”
date, cyberattacks targeting the U.S. have not been crippling, but they have
- Cyberattacks cost the
average American company $15.4
million annually. A CSIS study estimates
the annual global cost of malicious cyber-activity at between $375 billion
and $575 billion. “That’s our future disappearing in front of us,” says Gen.
Keith Alexander, former head of U.S. Cyber Command (CYBERCOM).
- In 2013, the U.S.
government notified more than 3,000
companies—many of them defense contractors—that their networks
had been compromised.
- Some 431 million people
around the world are victimized by cyberattacks annually, including one in
four American adults.
of the cyber-onslaught emanates from China. Alexander calls China’s cyber-siege
of the United States “the largest transfer of wealth in
history.” According to a study conducted
for the U.S.-China Economic and Security Review Commission (USCC), China’s use
of “computer network exploitation activities to support espionage has opened
rich veins of previously inaccessible information that can be mined both in
support of national-security concerns and, more significantly, for national
economic development.” For
- Beijing used
cyberattacks to infiltrate subcontracting firms and systems related to the
F-35 Joint Strike Fighter program and C-17 transport plane program.
- Beijing exploited
cyberspace to gain “full functional control over networks at the Jet
Propulsion Laboratory,” according to the USCC.
- China launched
“spearphishing” attacks against Westinghouse, Alcoa, Allegheny
Technologies, U.S. Steel, the United Steelworkers Union and SolarWorld.
- In 2013,
information-security firm Mandiant pointed to a shadowy unit of the
People’s Liberation Army (PLA) called “Unit 61398” as the source of many
Chinese cyberattacks. Unit 61398 has attacked government
ministries in the U.S., Europe, Japan and other countries; penetrated computer systems at U.S. defense firms, the Pentagon and NASA; planted
computer components in the United States with Trojan
horse codes; and stolen massive amounts of information. “We
witnessed them stealing hundreds of terabytes of data from 141 companies,”
Mandiant reported, adding, “A unit of the PLA has in fact been chartered
to compromise the U.S. infrastructure and steal our intellectual
is more—and worse—to come. Alexander worries about the
“transition from disruptive to destructive attacks.”
some of America’s allies, destructive attacks have already come. In 2007, in
what has been called “Web War I,” Russian cyberattacks cut off Estonia from the
world—hacking the websites of the president, prime minister, parliament and
foreign ministry; crippling Estonia’s communications infrastructure; and
disabling the mobile-phone network, the 911 equivalent and the country’s
largest bank. After Web War I, Ene Ergma, head of the Estonian parliament,
wearily explained, “Cyberwar doesn’t make you bleed. But it can destroy
2012, Iran’s Shamoon computer virus destroyed 30,000 computers linked to the
Saudi oil industry.
2013, North Korea’s “DarkSeoul” attacks wiped the master boot records of 32,000
computers at South Korea’s largest banks and broadcasting companies. “The true
intention of the DarkSeoul adversaries,” according to McAfee, was “to spy on
and disrupt South Korea’s military and government activities.”
December 2015, Ukraine experienced what has been called “the first blackout
caused by a cyberattack,” when eight Ukrainian utilities were hit by a malware
attack emanating from Russia. The attack left 80,000 people without power—in
the dead of winter. Related attacks crippled the IT network at Kiev’s main
Alexander likens freedom of action in cyberspace to “freedom of the seas…in the
19th century and access to air and space in the 20th century”—and rightly so.
The physical infrastructure America depends on—the electrical grid,
water-treatment facilities, air-traffic control system, banking and financial
systems, transportation arteries—depends on cyberspace. If America’s swath of
cyberspace is at risk, those systems are at risk—and someone could
throw America’s high-tech society back to pre-industrial days.
scoffing at this, consider that U.S. officials worry about Chinese
telecommunications firm Huawei placing a “bug, beacon or backdoor” into
critical systems that could allow for “a catastrophic and devastating domino
effect…throughout our networks,” as a senior member of Congress told Foreign Policy
Defense Secretary Leon Panetta describes this sort of cyberattack as “the next
Pearl Harbor.” But that may be an understatement. Although Pearl Harbor
decimated the Pacific Fleet, it left America’s industrial, financial,
communications and utilities infrastructure untouched. An orchestrated
cyberattack could sever our transportation arteries, cripple our energy and
water utilities, freeze our financial system, blind our military, and scramble
our communications networks.
To prevent such a nightmare scenario, several
nations are calling on the UN “to create norms of accepted behavior in
cyberspace.” But given that two of the governments urging the UN to keep the
peace in cyberspace are Russia and China—each guilty of some of the most
egregious cyber-assaults to date—any UN bid for cyber-peace in our time won’t
A more likely path to peace and
security in this new frontier is to develop the assets, doctrine and resolve to
deter and, if necessary, conduct cyberattacks. President Ronald Reagan might
have called it “cyber-peace through cyber-strength.”
Slowly but surely, Washington is coming to realize, as Gen. James Cartwright argued in 2007, that to protect U.S. interests
and assets in cyberspace, policymakers must “apply the principles of warfare to
the cyber domain, as we do to sea, air and land.”
means cyberattacks must be deterred with the credible threat of punishing
retaliation and answered in kind. Cartwright has even suggested that Washington
“do something that’s illustrative” in order to communicate U.S. seriousness in
cyberspace. “The defense of the nation is better served by capabilities
enabling us to take the fight to our adversaries,” according to Cartwright.
Toward that end, President
George W. Bush committed $30 billion to strengthening government networks. Bush
also authorized the “Olympic Games” operation(which included the Stuxnet computer worm) targeting computer systems that run
Iran’s nuclear program. Stuxnet became the first major cyberattack “used to
effect physical destruction,” as Michael Hayden, Bush’s CIA director explained.
According to Ralph Langner, an expert in industrial computer systems, Stuxnet
“was as effective as a military strike.” Langner compares Stuxnet to “the
arrival of an F-35 into a World War I battlefield.”
The good news is that Stuxnet set
back Iran’s nuclear program. The bad news, the critics warn, is that if
a cyber-smart bomb like Stuxnet can be deployed against America’s enemies, it
can be deployed against America’s highly networked military and civilian
infrastructure. While this is a real possibility, it ignores two important
realities. First, the enemy is already working on cyber-weapons and employing
them against the U.S. Second, the United States develops weapons to defend itself.
Sometimes this is achieved by the mere existence of a weapons system. But at
other times, defending the nation depends on deploying those weapons.
Taking the baton—or mouse, as it were—from his predecessor,
President Barack Obama stood up CYBERCOM. He also gave the Pentagon a green
light to develop capabilities to “deceive, deny, disrupt, degrade and
destroy” enemy information systems.
In 2013, the Pentagon unveiled plans to expand
CYBERCOM from 900 personnel to 5,000. The expansion is part of a wider effort
at CYBERCOM to field three
new forces for the Information Age: a “cyber
national mission force” to protect computer systems and networks that serve
critical infrastructure; a “cyber combat mission force” to assist regional
combatant commands in conducting offensive operations; and a “cyber protection
force” to defend Pentagon networks.
addition, military planners are mapping cyberspace—all the billions of
computers, switches, devices and networks that make up this ever-growing
invisible domain. Dubbed “Plan X,” this DARPA program aims to
ensure that the United States has “superior capabilities to rapidly plan,
execute and assess the full spectrum of military operations in
assist the warfighters, policymakers should let it be known that the U.S. would
view a cyberattack on critical infrastructure in the same way as a traditional
military attack, inviting a full military response. It’s worth noting that Russian
military officials have argued that “the use of information warfare against
Russia or its armed forces will categorically not be considered a non-military
phase of a conflict, whether there were casualties or not.”
These doctrinal changes are
needed because of the growing likelihood that America’s enemies will use
cyberspace to do far worse than simply steal from us or spam us. As Cartwright
has warned, “We lack dominance in cyberspace and could grow increasingly
vulnerable if we do not fundamentally change how we view this battlespace.”