A couple of days ago John wrote about the seemingly new doctrine of armed response to acts of cyber sabotage. I’m broadly with him on the badness of expanding without limit the range of events that we would treat as an act of war. But I think there is much less new here than it seems — and perhaps that lack of novel insight is more of the problem than the risks inherent in treating cyber attacks as a potential casus belli.
First of all, there is a significant trail behind this latest Pentagon statement. A major milestone came with the publication of Presidential Decision Directive 63 in 1998 — a document coming from the Clinton White House/National Security Council. The directive calls for a series of measures aimed at minimizing our vulnerability and enhancing our ability to respond to cyber attacks — response in this case meaning fixing the damage to critical systems to minimize pain, suffering, and economic and/or military damage. But the notion that a digital attack is a form of warfare is already present, part of US official doctrine all the way back in the last century:
Because of our military strength, future enemies, whether nations, groups or individuals, may seek to harm us in non- traditional ways including attacks within the United States. Because our economy is increasingly reliant upon interdependent and cyber-supported infrastructures, non-traditional attacks on our infrastructure and information systems may be capable of significantly harming both our military power and our economy.
And of course, this is true. As the WSJ article to which John linked recounts, the Stuxnet virus that seems to have done significant damage to Iran’s nuclear effort struck at a sovereign nation’s economic and perhaps military capacity in a pretty direct way.
Had the authors of Stuxnet managed to set off a bomb in the centrifuge room, that would have been obviously an act of violence, one of war. That the cyber path permitted the same damage to be done less messily does not alter its tactical significance, at least not in any obvious way. If the Pentagon is moving to formalize the logic implied by Clinton-era perceptions of cyber threat — well, there are changes here, but I’m not sure they are as groundbreaking as the WSJ article made it seem.
That is: the reality behind the digital metaphor of infection is one of the facts of life in a networked world. The realms of the virtual and the physical are now deeply interconnected, and disruption of the cyber networks can (and has) produced real consequences in our material circumstances. I don’t see it as a huge stretch to suggest that a cyber attack could cause the deaths of people, and that a response using other weapons that also kill people might be appropriate, if (and only if) you can reliably connect the original attack to the folks you want to target.
Which is the real problem with this not-so-new posture, a twisty little bit you can find by burrowing a little deeper into the WSJ piece:
Pentagon officials believe the most-sophisticated computer attacks require the resources of a government. For instance, the weapons used in a major technological assault, such as taking down a power grid, would likely have been developed with state support, Pentagon officials say.
Well, maybe. But I read this and come back to where I think John was heading in his piece: if a network attack by a cyber-al-Qaeda goads us into pounding the next Iraq stand-in, then we are back to what got us into our current predicament in the first place.
To which depressing thought, I’ve three reactions.
First: it is a good thing that our government is taking cyber crime/war seriously. Given how increasingly dependent we are on a complicated and variously vulnerable digital infrastructure, it would be the height of folly to think that our networks are of no interest to potential adversaries.
Second: its an assumption not in any evidence I’ve seen these adversaries will be conventional states, to be deterred or defeated by conventional means.
The idea that cyber skills are uniquely the province of nations, or that digital assaults require the same kinds of concentration of resources needed to field actual armies is as unsupported as the notion that no band of committed nothing-to-losers couldn’t strike at major civilian targets in the United States.
So if in fact the focus of this new cyber command is mostly committed to state actors, I don’t feel much more secure for its existence. Worse — if our only options in response to cyber attacks are ordinary military strikes on conventional physical targets we’ll be right back in the sad old game of shooting at the wrong people with the wrong weapons…which is no damn good at all.
Third: It’s not in the piece, and though I’ve been following some of the writing about cyber security popping up lately, I’m hardly expert. But I do worry about what I see as at least a potential trap in the way we might be imagining cyber threats. A lot of conventional, garden variety digital security is based around the idea of building a fence around a vulnerable system — that’s the idea of a firewall that keeps malware and intruders out of yours and my personal computer, or the systems to which we attach in the course of our working day.
I’m hoping that’s not how the new cyber-command — or rather, its superiors in the chain of command — are thinking. If the concept of cyber-security being developed by the national security folks is based some kind of digital Maginot Line, an über firewall designed to keep the bad guys out, then we may well be fighting the last war. Because, as we’ve seen with major security breaches in commercial networks, the real vulnerability happens when someone gets past a security wall, whether by clever hacking from without, or old fashioned human treachery from within. If the folks directing our national cyber defence are Fulda Gap types, people with a strategic sense born of classic war-fighting approaches, then we’re in for trouble.
Early days, but my own web paranoia is peaking, and I have a deep urge to encrypt everything down to my cat Tikka’s 313131122’s name.
Images: Giovanni Batista Tiepolo, tentatively identified as the victory of Gaius Marius over Teutonic tribes in 101 B.C.E., c. 1725-1729
joes527
A country that responded to 9/11 by invading Iraq isn’t going to get things more wrong just because computers are involved.
The problem is that to a nation who has, what? 40 some percent of the hammers in the world, everything looks like a fucking nail.
Chuck Butcher
I don’t suppose we really needed a justification to drop bombs or whatever. So, if the address is reliably a building in a city in China … ?
jwb
@joes527: More to the point: if said hammers don’t have fucking nails to hit a lot of rich people lose a lot of money.
jwb
@Chuck Butcher: Well, if you are in the nuclear club you get a pass, don’t you know. What I wonder is who is going to take away our nukes when we finally ride the crazy train off the cliff, which the way things are going may not be so far off.
Fred
Your first mistake was using WSJ as a source.
Chuck Butcher
@jwb:
We went over that cliff thirty some years ago, what we haven’t done is that sudden stop that really hurts alot.
Keith G
Can I get a drone attack called in on my wifi card provider? Their shitty service is an attack on America.
Other than that…. Ho hum.
gex
@joes527:
This. And I may steal a paraphrased version. Your royalty check will be paid to the RIAA if you can get it from their money-grubbing hands.
Temporarily Max McGee (soon enough to be Andy K again)
@Fred:
How, exactly, was that a mistake?
me
The lulzsec guys referenced this when they defaced and leaked data from an fbi contractor on Friday.
slag
So, does this mean we can transition our wars of perpetuity over to being cyber wars of perpetuity instead? Like they did on that Star Trek episode? I just want to get to wear those pointy hats.
But, truly, joes527 @1 nailed it. (Pun surprisingly not intended.)
Temporarily Max McGee (soon enough to be Andy K again)
@slag:
Only if you view it with American Anti-Exceptionalism blinders on. THe players involved in the near future could be Russia, China and India amongst themselves- the US a neutral observer- who could blame one another for the works of anonymous hackers. It isn’t as if there haven’t been tensions between China and India or China and Russia in the recent past, when none of the three were exactly economic giants.
And not that there are only four nations in the world who could be gravely effected by hacks and viruses, who might look to blame their neighbors for anonymous hacks. Iraq-Iran? Turkey-Syria?
Villago Delenda Est
@joes527:
As others have said before me, this, this, this.
The “military solution” is the only one that many of these people see. Given that most of them have never worn the uniform, let alone actually been part of the hammer as it goes after everything out there that might be construed as a nail, this is particularly appalling.
Mike in NC
Yes. The IT “experts” within the Pentagon have been saying the USA and China have been engaged in a virtual cyber war for the past several years. The PLA has a massive number of hackers looking for vulnerabilities in both government and private sector computer systems.
Doug-boy
My concern is that detection and identification of the “source” of such an attack is far more difficult than seeing a heat bloom from a missile silo. Thus, it seems to me that knee-jerk reactions to cyber attacks run a far greater chance of leading us in the wrong direction. As we have already demonstrated amply, we aren’t that good at reacting to physical attacks, even the unconventional ones that use aircraft as the weapon. I have little confidence in our government’s ability to respond appropriately (or to convince the public, who aren’t typically cyber security educated).
Fred
@Temporarily Max McGee (soon enough to be Andy K again): Urrrum……becccauuussee it…ssss…thhheeeeee…..W….S….J.
Why not just quote Faux Nation or Drudge report? They probably use the same fact checkers.
Omnes Omnibus
@Fred: Because the news parts of the WSJ are still functional. The Op-Ed people are, and have been, crazy, but the news org is competent.
MikeJ
@Omnes Omnibus: And not just competent. The news side of WSJ is among the best in the world.
Fred
@Omnes Omnibus: If you actually trust a Murdoch owned rag I feel very sorry for you.
Walker
The problem with this justification is that it suggests either we or Israel declared war on Iran. It is commonly believed that Stuxnet required support from a state actor, and those are the two most likely culprits.
hamletta
I’m with Tom on this one. I thought John’s response was uncharacteristically blinkered.
We’re not talking about dropping a bomb on some haxt0r who creates an annoying e-mail virus, even one that shuts down a bunch of huge sites.
Shutting down, say, a financial transfer network is tantamount to robbing an armored car, or more likely, a dozen of them, and blowing up a railroad or two in the olden days.
What about taking out a chunk of the electrical grid? That happened a few years ago (thanks to a dead squirrel?), and people didn’t go all Lord Of the Flies, but still. People can die in a situation like that, f’rex if they’re at home, but with medical equipment that keeps them alive.
I don’t know how you can see a deliberate assault on these systems as anything other than an act of aggression.
Is it because they don’t involve ’splody things?
eemom
@Omnes Omnibus:
dude, save your pixels. Fred is like toko-loko without the cute.
quaker in a basement
Offered without comment:
A Cyberwar Case Study: Georgia 2008
joes527
@Temporarily Max McGee (soon enough to be Andy K again): If you are saying my foam finger isn’t sufficiently rigid, I can tweet you a picture that would put that idea to rest.
Joey Giraud
Al Queda, Al Shmaeda… this is just nonsense to scare us away from the current Internet.
Before the Internet, big business was expecting an “Information Superhighway” just like T.V. and radio, with big, centralized suppliers ( them, ) and dependent consumers.
But dinky little ARPANET and email took everyone, ( including the “prophetic” Bill Gates, ) by surprise and grew into the defacto worldwide network. The big boys were unprepared for the explosion of democratic publishing, social connectivity, and free information.
The Internet is designed to be peer-to-peer, like democratic civil society itself, making it difficult to control. In fact, from their point of view, the Internet as it is is wildly dangerous.
It’s been obvious for a while now that there’s going to be a major assault on the Web in it’s current form. It’s already happening, and this is one more attempt to weaken the people’s network.
slag
@Temporarily Max McGee (soon enough to be Andy K again): I’m curious as to how many of the countries you mentioned are deeply engaged in three concurrent wars at the moment.
War, by any civilized standard, is an admission of failure. We’ve built a system that is, empirically (and I guess imperially), failing on multiple fronts right now.
Nonetheless, I’m prepared to meet half way. In the interest of science, let’s scale down our MIC by about 25% and see how it goes. I’ll be happy to be on the receiving end of the I-told-you-so should it come due.
Joey Giraud
If the government and military were truly concerned about this kind of threat, it would disconnect from the Internet and create a separate network for it’s own work. It wouldn’t be that expensive in the big picture.
But then they wouldn’t have an excuse to stick their fingers into your ISP server logs, and sniff and store packets from everywhere.
jwb
@Joey Giraud: It will be interesting whether the powers that be can bring the internet to heel. I don’t think they will, though I think we’re likely to find out that we just exchanged one set of masters of the world for another.
slag
@Joey Giraud:
Memo from the DOD to Google and Facebook: “We want our Internet back.”
Fucen Pneumatic Fuck Wrench Tarmal
oddly, i am not as concerned about the actual cyber-war, thrust and parry of nations launching attacks, defending against them, etc..
my concern is when, not if, an attack causes enough damage to become a real world concern. the politics of the war, rather than the “military” of a cyberwar. how is our government going to position what it deems necessary, and how will it advance an agenda, based on whatever crisis is presented.
Mike in NC
@Joey Giraud:
DOD already has them: SIPRNet and NIPRNet
Svensker
And why shouldn’t Iran view that as a reason to retaliate against those who did it? Imagine the hullabaloo here or in Israel were the tables turned.
Mike M
There are many ways to cause havoc, destroy property, and kill people. Certain acts of sabotage have been considered acts of war for hundreds of years. The fact that we can do many of these things by networked computers is novel, but the result isn’t.
I think people are more concerned about the US getting involved in wars of choice rather than wars of self defense. If a cyber attack from a hostile nation brings down our air traffic control system, for example, I imagine that most Americans would expect their government to take aggressive action, and if appropriate, retaliate.
I’m not concerned that the US is going to bomb China because of spam.
Martin
I don’t understand the outrage on this. Basically all the military is saying is that this could be used as a justification for war, not that it would certainly result in it.
I mean, if a nation-state like China makes a clear and concerted cyber effort to take down the military C&C structure, would we not treat that as a hostile act? Who gives a shit how NORAD gets knocked offline – either hacker or nuke, it’s a hostile act.
Yutsano
@Martin: I guess the real question in my mind is what is the proper response to a cyberattack? Should we just lob a couple of nukes who scrambled the DoD defense network? Invade Beijing? Air raid Nanjing just to give the populace nightmares again? Or should the sanctions instead fit more with the nature of the attack, say cutting off the Chinese from the Internet at least temporarily? I know guns are more exciting for wingnuts but it seems like there are smarter approaches than just blowing up brown folk indiscriminately.
Chad N Freude
For a chilling perspective on cyber war (and just incidentally, real Journalism), see this Vanity Fair article on Stuxnet.
ETA: Prof. Levenson, you may be right about the presumption that state actors are not necessarily responsible for Stuxnet, but the article makes a pretty good case that a bunch of geeks in their mothers’ basements couldn’t have pulled it off.
Martin
@Yutsano: The proper response has nothing to do with the action itself but what the next action is expected to be. Sunk cost and all that. Cyberattacks are expected to be precursors to some other action – take some part of our defense structure to improve the success rate of a conventional attack. I mean, that’s why nations send in spies and saboteurs which is all this is.
Put another way, if a bunch of Chinese nationals came in and detonated explosives at key locations that had the same impact as a cyberattack, you don’t think we would have a right to respond to that? A nuke would be appropriate if the intent was to launch a nuclear attack on the US, but we’re not unaware of proportionate response, and that response could simply be to cut China off the internet for a spell. It’s not like we haven’t done that before.
@Chad N Freude: Stuxnet had to be a state action. There’s absolutely, positively no way that non-state actors could have gotten access to the information that was needed for that to work. It wasn’t just obscure, it required knowing what kind of equipment was being used in Iran (a state secret) and then getting access to internal corporate information, and then testing the damn thing on that equipment which would have cost a fortune to do. Until Stuxnet, all such viruses were broad in purpose and designed to take advantage of scale – they worked because you could count on 5%-10% of computers to be susceptible and with a population of hundreds of millions of machines, that’s all you need to be successful. Stuxnet was narrow in purpose. The equipment it targeted had to be 100% susceptible to it, with an outer layer of completely different equipment being both partially susceptible to it and unable to detect it. It does it a disservice to lump it in with any previous virus that we’ve seen.
Nic
Maybe it wouldn’t be a bad idea to start making more high technology stuff here in the good ‘ol USA. Remember the picture frame hootenanny?
I’m getting paranoid myself.. I’ve spent most of my life in the digital world (Remember calling with a 300-9600bps modem to FidoNet node to poll the latest echo and netmail?). Things were far more simple not even 10 years ago. Progress in computerland is a good thing, but I think we must exercise more caution.
Now, every piece of software is backed up by hundreds of MB of library, no one seems to check MD5/SHA hashes when downloading (or even know what they are), many developers don’t bother to look at a bit of code in the libraries they use… or worse yet: you’ve got your new SSD HD, imported from somewhere.. imagine the picture frame incident on a large [competent] scale: HDs, sold to <someone who manages mission critical stuff somewhere, gov stuff, etc> with bytecode embedded in the processor of the drive that… I’ll stop there, I don’t want to give out any free ideas. But we all know that there are gaping holes everywhere. Much of the stuff that runs infrastructure here uses the mentioned principle of firewall protection.. which is unfortunate, considering the software that runs this stuff is mostly protected by only obfuscation.
Tom Levenson
@Chad N Freude: @Martin:
I wasn’t saying that Stuxnet wasn’t state action…I am saying that looking forward it seems to me to be very naive to think that sophisticated cyber conflict is the exclusive province of states.
Lots of non-state actors are already heavily involved in cyber crime; the leap from that to more broadly malign uses of digital tools is not very great at all.
Temporarily Max McGee (soon enough to be Andy K again)
@Fred: @Omnes Omnibus:
Omnes has it right.
The WSJ hard news reportage has always been top notch. If they played it with any bias as they do in the op-ed section, the target audience- investors looking for that little edge that might turn up as a tidbit in a news story- would shun it if the news department sold them bum steers.
Temporarily Max McGee (soon enough to be Andy K again)
@joes527:
No, not saying that, just saying that with the recent histories of border skirmishes between those countries when the stakes were much lower as far as they were concerned, that cyberwars involving them could just as easily turn to shooting/bombing wars.
Don’t take that as me rationalizing justifications for the US to go to war under such circumstances, but that, well, I can easily picture it happening along a lot of different borders- again, with the US being an innocent bystander.
Draylon Hogg
I’ve seen War Games. It could get nasty. So render unto Guantanamo Bay Matthew Broderick forthwith.
Enough nuclear weapons to turn the planet into molten slag and still shitting yourselves over the sight of your own shadow.
Ben
@Martin: This is the first coherent post on this topic. Anyone that doesn’t take cyber security and cyber warfare seriously is going to get screwed. As a nerd and an IT security professional, I’m extremely happy to see us take this seriously… it is how wars will be waged in the future. Much of the talk surrounding the policy of kinetic attacks in retaliation/response for a cyber attack is for the purpose of
deterrence. However, there is a great deal of talk amongst the security community (I work in the civilian arena of government security) regarding the effectiveness of deterrence with cyber attacks; with the technology available today, it can be very difficult to discover where attacks come from. An example of this is that there was a discovery made a few years ago of cyber attacks allegedly coming from NK. This was hard to fathom since they are so closed off. It was discovered that the North Korean government had an operation setup in Seoul to conduct cyber attacks, mostly against the US, stocked with a very advanced group of NK military personnel. This group obviously only has to worry about offensive attacks and little about defensive attacks since their country is already starving and most of the population is insane from starvation and propaganda.
The US currently has the most advanced cyber warfare unit in the world, but Russia, China, NK, France and the UK are getting closer. Making our own hardware would certainly help. There are proposals flying around in regards to tightening up the ingress/egress points of internet access that travel abroad (ocean floor, etc.) so they could be shut down in the case of an attack. I’m fine with this as long as the legislation makes it clear that the government isn’t to become the porn monitor for the world.
The most serious problem is for US business… Sony Movies website was hacked and more than 1M (million) customers passwords were nabbed since they were stored in plaintext in the server (huge no-no). The attack was a simple SQL injection attack (entering an sql statement that is always “true” on a website instead of a username and password) that will get through the door and onto the system. These can be stopped by simply applying patches and coding your website properly (and encrypting all “data at rest”).
JR
If we accept that the creation of deployment of a computer worm like Stuxnet is an act of war, and I agree that we should. Then remember that Stuxnet performed as designed and destroyed a uranium enrichment facility in Iran.
So by our own logic, isn’t Stuxnet an act of war against the Iranian state? Should we be surprised if and when the Iranian state strikes back at the USA with some kind of unorthodox action which destroys some kind of American facility, like a huge portion of our power grid?
Should we accept that, having been attacked by us, Iran is fully justified in replying to that attack? Are we at war with Iran? What exactly has Iran done to the “Homeland” of America that creates a state of war between us? Not kowtowing and shutting down their nuclear program? Providing material support for Iraqi fighters who oppose our unprovoked war against Iraq?
There are a lot of interesting geopolitical questions here, most of which make Stuxnet (elegant and successful cyber-weapon though it was) and our deployment of it, look poorly thought out.
I hate geopolitical questions arising from
stupidill-considered tactical actions undertaken without considering the concomitant strategic issues created by the tactical action. Now we get to worry about our nuclear power plants and the increasingly sophisticated digital control systems we use to manage them.Because I bet the Iranian cyber warfare geeks, who are probably some of the the smartest guys in a nation of well educated people. won’t hesitate a minute to kill or sicken millions of American citizens in a retaliation for Stuxnet.
Depressing!
AAA Bonds
To me the question is: even if a state actor is involved, how likely are we to be able to prove that? Even if we satisfy our own security agencies and citizens, can we satisfy the international community to the degree that our allies will support a violent response?
It’s a lot easier to farm out DOS attacks, etc, than it is to contract for car bombings or assassinations.
Were the Chinese attacks on Google prompted or materially supported by the Chinese government? We’ll probably never know for sure unless China’s government opens up about its operations in this decade.
mclaren
@Ben:
You’re an ignorant incompetent crank and Martin is as usual a witless fool.
There is no evidence whatsoever that any of this “cyberwar” bullshit has any reality on the ground. None.
All this cyberwar crap is a giant scam designed to make the inept worthless consulting companies of a bunch of greedy incompetent Pentagon contractors wealthy beyond the dreams of avarice.
Not only will war not be fought in the future by plating viruses in the enemy’s comptuer network, you as an alleged “IT professional” are so ignorant and so incompetent that you don’t realize current military computer networks are not open to the rest of the world. SIPRNET isn’t some ip address you can just dial up, as in the fantasy movie WAR GAMES. It’s an entirely separate system, not accessible from anywhere else except inside the U.S. military.
Go back to telling us how we need to go to war because of all those dangerous dangerous daaaaaaaaaaaaaaaaangerous WMDS in Iraq, you clueless incompetent fool.
Of course, you and Martin will predictably ridicule and deride this statement of documented facts, so let’s go to an actual authority — Scientific American. What does this peer-reviewed academic journal have to say about the cyberwar scare?
“Don’t believe scare stories about cyber war” by John Horgan, Scientific American, 3 June 2011.