By Adam Elkus
The digitized specter of cyberwar is haunting the boardrooms, barracks, and law offices of America. China’s audacious September 2007 infiltration of secure Pentagon networks and government servers in several other nations has powerfully demonstrated that cyberwar’s moment has arrived. Cybersecurity analysts have estimated that 120 different nations are working to evolve cyberwar capabilities. Most of today’s current cyberwar operations involve hackers probing civilian and military networks for vulnerabilities and restricted information, operations that focus less on disruption than recon and surveillance.
Cyberwar is here
However, the July 2007 cyberblitz of Estonia–in which massive denial of service attacks took down government and citizen networks–proves that hacking can and will be used as a kinetic weapon. Although kinetic hacking attacks are a relatively new tool, their purpose is by no means complex or exotic. Hacking will be utilized as one element of an established political or military strategy, rather than an end in itself. The goal is not the narrow disruption of a few computer systems but psychological in nature-to disrupt an enemy’s moral cohesion and cast him into confusion and chaos. This has been the goal of military forces since the days of Sun Tzu. We should not be surprised to see cyberwar fit inside such a paradigm.
Targets and vulnerabilities
Governments, militaries, and civilian populations have grown used to the near infinite reach of the Internet, satellites, and other instruments of electronic communications. They are not only essential for the maintenance of a modern society and military but considered an essential part of a modern society and even a birthright of industrialized nations. Disrupting these systems could be carried out in a number of ways.
Hackers employing zombie computers (botnets) could carry out massive distributed denial of service attacks against civilian and government networks, not taking down classified networks but slowing down vital services such as banking and commerce, creating panic among civilian members of the population, crippling information infrastructure. This is what happened in Estonia-a small, highly digitized country.
Military hackers could also target more secure government, military, and corporate information systems via targeted hacks and insights on vulnerabilities gleaned from spyware and previous reconnaissance. In the context of a military campaign, the goal would be to disrupt command and control (C2) capabilities. China has a special interest in this because of its need to prevent the US from quickly deploying forces to block US entry into conflict over the Taiwan strait. Hacking and electronic warfare would be one part of a multi-sided asymmetric “anti-access” strategy.
Although specialized teams of military hackers will likely be employed by states, it is more likely that states will rely on mercenary hackers with only a tenuous connection to government authorities. Outsourcing this capability will preserve plausible deniability. It is hard to tell whether Chinese hacks against Western networks-especially during highly charged political events such as NATO’s 1999 accidental bombing of the Chinese embassy in the Kosovo war–are the work of state hackers, aggrieved nationalists, or both. The Chinese military also actively recruits civilian hackers, appealing to their sense of patriotism (and profit) to turn away from cheap hacking to participation in information warfare drills and in some cases targeted attacks against Western computer networks.
The cyberblitz against Estonia, which occurred after Estonians removed a statute honoring Russian military sacrifices during World War II, is believed by many analysts to be the work of a loose group of Russian nationalist hackers associated with the government, but there is no decisive evidence to support such a claim. Given the opaque nature of the attacks, the real culprits (and their affiliation with the Kremlin) will most likely never be known.
It is hard to defend against an attack when you are unable to prove who is behind it, or even whether cyber-attacks are considered a form of war at all (experts disagree). This will make it attractive as an option to governments seeking to employ a coercive political tool that will not lead to actual violence. However, by no means will this be a tactic solely employed by governments.
Governments may stir up popular sentiment with the hope that a nationalist hacker group will strike their enemies for them. Chinese military doctrine, for instance, has attempted to apply the principles of Maoist people’s war by facilitating mass citizen participation in cyberwar. Additionally, non-state groups seeking to carry out political campaigns against states will also find probing attacks useful.
The Department of Defense hopes to counter these attacks by building its own Air Force Cyberspace Command. This is a step in the right direction–the armed forces should not be without their own cyberwar capability. However, it would be wise to a take a leaf from the Chinese book and appeal to patriotic hackers to help improve American defenses. Many gray hat hackers already attack government and corporate systems in order to prove vulnerabilities exist–these individuals should be brought inside as part of an expanded corps of operatives designed to obsessively red-team government and military computer systems. Other networks, not top-down hierarchies, should fight networked enemy hackers. Developing a flexible and free-ranging development and analysis apparatus will enable us to effectively engage our digitized adversaries.
Most importantly, governments should understand that cyberwar–because of its potential for systems disruption without provoking war–will become a useful tool for cementing political influence. The Cold War was fought as a proxy war, with Third World terrorists and guerrillas as the foot soldiers. It is reasonable to assume that tomorrow’s proxy guerrillas will still wear jungle camo and tote AK-47s. But they are just as likely to kill with a laptop.
Filed in Uncategorized | 2 responses so far