Cyberwarfare Comes Of Age

By Adam Elkus

The digitized specter of cyberwar is haunting the boardrooms, barracks, and law offices of America. China’s audacious September 2007 infiltration of secure Pentagon networks and government servers in several other nations has powerfully demonstrated that cyberwar’s moment has arrived. Cybersecurity analysts have estimated that 120 different nations are working to evolve cyberwar capabilities. Most of today’s current cyberwar operations involve hackers probing civilian and military networks for vulnerabilities and restricted information, operations that focus less on disruption than recon and surveillance.

Cyberwar is here

However, the July 2007 cyberblitz of Estonia–in which massive denial of service attacks took down government and citizen networks–proves that hacking can and will be used as a kinetic weapon. Although kinetic hacking attacks are a relatively new tool, their purpose is by no means complex or exotic. Hacking will be utilized as one element of an established political or military strategy, rather than an end in itself. The goal is not the narrow disruption of a few computer systems but psychological in nature-to disrupt an enemy’s moral cohesion and cast him into confusion and chaos. This has been the goal of military forces since the days of Sun Tzu. We should not be surprised to see cyberwar fit inside such a paradigm.

Targets and vulnerabilities

Governments, militaries, and civilian populations have grown used to the near infinite reach of the Internet, satellites, and other instruments of electronic communications. They are not only essential for the maintenance of a modern society and military but considered an essential part of a modern society and even a birthright of industrialized nations. Disrupting these systems could be carried out in a number of ways.

Hackers employing zombie computers (botnets) could carry out massive distributed denial of service attacks against civilian and government networks, not taking down classified networks but slowing down vital services such as banking and commerce, creating panic among civilian members of the population, crippling information infrastructure. This is what happened in Estonia-a small, highly digitized country.

Military hackers could also target more secure government, military, and corporate information systems via targeted hacks and insights on vulnerabilities gleaned from spyware and previous reconnaissance. In the context of a military campaign, the goal would be to disrupt command and control (C2) capabilities. China has a special interest in this because of its need to prevent the US from quickly deploying forces to block US entry into conflict over the Taiwan strait. Hacking and electronic warfare would be one part of a multi-sided asymmetric “anti-access” strategy.

Cyberwarriors

Although specialized teams of military hackers will likely be employed by states, it is more likely that states will rely on mercenary hackers with only a tenuous connection to government authorities. Outsourcing this capability will preserve plausible deniability. It is hard to tell whether Chinese hacks against Western networks-especially during highly charged political events such as NATO’s 1999 accidental bombing of the Chinese embassy in the Kosovo war–are the work of state hackers, aggrieved nationalists, or both. The Chinese military also actively recruits civilian hackers, appealing to their sense of patriotism (and profit) to turn away from cheap hacking to participation in information warfare drills and in some cases targeted attacks against Western computer networks.

The cyberblitz against Estonia, which occurred after Estonians removed a statute honoring Russian military sacrifices during World War II, is believed by many analysts to be the work of a loose group of Russian nationalist hackers associated with the government, but there is no decisive evidence to support such a claim. Given the opaque nature of the attacks, the real culprits (and their affiliation with the Kremlin) will most likely never be known.

It is hard to defend against an attack when you are unable to prove who is behind it, or even whether cyber-attacks are considered a form of war at all (experts disagree). This will make it attractive as an option to governments seeking to employ a coercive political tool that will not lead to actual violence. However, by no means will this be a tactic solely employed by governments.

Governments may stir up popular sentiment with the hope that a nationalist hacker group will strike their enemies for them. Chinese military doctrine, for instance, has attempted to apply the principles of Maoist people’s war by facilitating mass citizen participation in cyberwar. Additionally, non-state groups seeking to carry out political campaigns against states will also find probing attacks useful.

The Department of Defense hopes to counter these attacks by building its own Air Force Cyberspace Command. This is a step in the right direction–the armed forces should not be without their own cyberwar capability. However, it would be wise to a take a leaf from the Chinese book and appeal to patriotic hackers to help improve American defenses. Many gray hat hackers already attack government and corporate systems in order to prove vulnerabilities exist–these individuals should be brought inside as part of an expanded corps of operatives designed to obsessively red-team government and military computer systems. Other networks, not top-down hierarchies, should fight networked enemy hackers. Developing a flexible and free-ranging development and analysis apparatus will enable us to effectively engage our digitized adversaries.

Cyberstrategy

Most importantly, governments should understand that cyberwar–because of its potential for systems disruption without provoking war–will become a useful tool for cementing political influence. The Cold War was fought as a proxy war, with Third World terrorists and guerrillas as the foot soldiers. It is reasonable to assume that tomorrow’s proxy guerrillas will still wear jungle camo and tote AK-47s. But they are just as likely to kill with a laptop.

Be Sociable, Share!

Filed in Uncategorized | 2 responses so far

2 Responses to “Cyberwarfare Comes Of Age”

  1. rogelio007on 17 Dec 2007 at 1:25 am 1

    Well, after peak oil and the depletion of crude oil deposits, cyberwarfare will be moot. Computers won’t run without electricity. We will be back to spears and bows and arrows then.

  2. deichmanson 20 Dec 2007 at 7:21 pm 2

    Adam,

    Yes, any organization dependent on information (be it a small business or a nation-state) needs to be able to ensure access to cyberspace. And I agree with your premise that even state-serving organizations (like the military) need to possess their own “cyberwar capability” — in fact, the best hackers I’ve ever met have been in DoD networking circles.

    I believe we also have a great deal of national pride when it comes to significant (i.e., global scale) attacks — a few years ago, when a denial-of-service attack against several key commercial Internet nodes was traced to the PLA, the barrage of “retaliatory attacks” by American teenagers was far more daunting than what was unleashed against Yahoo!, Google and Microsoft. (Do a search on “Blitzkrieg Server” for tales of retaliation from the late ’90s. :-)

    However, history has proven that the greatest threat to information systems is the malicious insider — not the malevolent outsider (or the tinkering teenager). Second most damaging is the inept insider. Hence most of our CYBERSEC is based on restricting (or at least monitoring) individual actions on the network.

    My personal opinion: Be diligent with your backups, and find as many alternative routes to achieve your objectives (be it commercial networks or SMS-based architectures). When Hurricane Isabel blew through the Mid-Atlantic in 2003, our response in USJFCOM J9 (which sat about 8′ above storm surge levels in a single-story building) was to power down our mail servers — i.e., NO email connectivity, and a remote buffer at HQ in Norfolk to hold the incoming mail queue. As a department head, I still had to provide full accountability each morning for my personnel while we were all on Administrative Leave for three days. What system remained fully operational for the duration? Audix Voice Mail. So our web-based timekeeping became (for a week) a broadcast-voicemail-cued-response, hardcopy one that was reported (also via voicemail through unreliable commercial telecom circuits) each day.

    Resilience = Awareness + Preparedness + Capability.