Why the United States and its closest allies need to get serious about protecting cyberspace.
The recent wave of cyber-attacks against South Korea (likely emanating from China) and Canada (definitively emanating from China) aren’t the first and won’t be the last assaults on Western computer networks, which is why the United States and its closest allies need to get serious about protecting cyberspace. The good news is that key military units are already at work applying the principles of collective defense to this newest theater of operations. The bad news is that the bad guys have gotten a head start.
Some argue that cyber-attacks aren’t a threat to real-world security. They’re wrong. Just consider the worrisome words of the head of the UN agency on information technology, who fears “the next world war could happen in cyberspace,” or ask our friends in Estonia and Georgia.
Estonia weathered what some call “Web War I” in 2007, when Russian nationalists unleashed a withering volley of “distributed denial of service” attacks that crashed networks across the country, including those supporting government agencies, media outlets, the mobile-phone system and the country’s largest bank.
A year after Estonia, Russian cyber-militiamen launched a digital invasion ahead of the Russian military’s ground invasion of Georgia, crippling government networks and servers.
If Russia’s cyber-attacks on Estonia and Georgia were intended to intimidate and confuse, China’s attacks are aimed at stealing and probing.
According to the German government, victimized by massive cyber-attacks in 2007-08, “The People’s Republic of China is intensively gathering political, military, corporate-strategic and scientific information in order to bridge their technological gaps as quickly as possible.”
In fact, Beijing tacitly encourages hundreds of quasi-independent hacker teams and even trains some at Chinese military bases. The U.S.-China Economic and Security Review Commission reports that these teams of hackers have attacked government ministries in Canada, Europe, Japan, India, Taiwan, South Korea, Australia and dozens of other countries.
Last month’s cyber-attacks against Canada hit the Finance Department and Treasury Board. This month’s attacks against South Korea, which may have been launched by China or North Korea, targeted the presidency, the foreign ministry, the nation’s largest bank, and U.S. and Korean military sites. A salvo of cyber-attacks against South Korea last June targeted the defense ministry and gathered secret information on South Korean plans to acquire UAV assets such as the Global Hawk from the United States.
Inside the U.S., China’s IT commando units have penetrated computer systems at defense firms, the White House, the State Department, NASA and the Pentagon. Similarly, The Wall Street Journal has reported on “pervasive” penetration of the U.S. electrical grid, whereby malicious software and sleeper switches have been implanted to allow China or Russia to disrupt service at a time of their choosing.
To prevent cyber-skirmishes from triggering real-world conflicts, several nations are calling on the UN to “create norms of accepted behavior in cyberspace,” as The Washington Post recently reported. But given that two of the countries calling for cyber-cooperation are Russia and China—each guilty of some of the most egregious cyber-assaults to date—it’s unlikely that much will come from the UN’s plan for cyber-peace in our time.
A more likely source of peace and security in this new frontier is developing the assets, doctrine and resolve to deter and, if necessary, answer in kind cyber-attacks. The U.S. military is apparently doing just that. Reagan might have called it “cyber-peace through cyber-strength.”
Warning that “We lack dominance in cyberspace and could grow increasingly vulnerable if we do not fundamentally change how we view this battle-space,” Gen. James Cartwright, vice-chairman of the U.S. Joint Chiefs of Staff, has argued that it’s time to “apply the principles of warfare to the cyber-domain.” Gen. Keith Alexander, who heads the Pentagon’s new Cyber Command, envisions an approach to cyber-security that puts “defense and offense together.”
We may have caught a glimpse of this emerging cyber-doctrine in the guided cyber-missile known as Stuxnet. Launched sometime in 2008, Stuxnet is a computer worm that targeted and sabotaged the computers running Iran’s uranium-enrichment program and centrifuges. The Bush administration initially authorized the secret operation to “undermine the electrical and computer systems around Natanz, Iran’s major enrichment center,” as The New York Times reports. The Obama administration eagerly continued the effort.
Once it found its intended target, Stuxnet quietly ripped through Iran’s nuclear program. For 17 months, it targeted the operating systems running the program; tricked centrifuges into running faster than normal, and then abruptly slowed them down, corrupting the uranium produced in the centrifuge tubes; and confounded Iran’s nuclear scientists.
The result: an Institute for Science and International Security study cited by Newsweek concludes that Stuxnet crippled Iran’s ability to activate new centrifuges throughout 2009; Iran’s second set of 5,000 centrifuges was “beset by delays”; and at least 1,000 centrifuges “simply broke down.” Best of all, according to The New York Times, Stuxnet “secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a prerecorded security tape in a bank heist, so that it would appear that everything was operating normally.”
Ralph Langner, an expert in industrial computer systems, says Stuxnet “was as effective as a military strike.” He likens Stuxnet to “the arrival of an F-35 into a World War I battlefield.”
Of course, if a cyber-smart bomb like Stuxnet can be designed and deployed against the nascent nuclear infrastructure of America’s enemies, it can surely be deployed against the highly networked military and civilian infrastructure of the United States.
That’s why the U.S. and its allies must work together to defend their shared swath of cyberspace and take the fight to the enemy. “We have to have offensive capabilities to, in real time, shut down somebody trying to attack us,” says Alexander.
Toward that end, NATO formed a center after Estonia to help member states “defy and successfully counter” computer-network attacks. Plus, NATO’s new Strategic Concept calls on the allies to enhance their capacity to “defend against and recover from cyber-attacks.”
Alexander likens “freedom of action in cyberspace in the 21st century” to “freedom of the seas…in the 19th century and access to air and space in the 20th century.”
If that’s true, then getting serious about cyber-defense must be viewed as a priority for the West. Some allies are doing more than others in this regard. Britain is investing more than $1 billion on cyber-defense. Germany, which was hit by numerous Chinese cyber-attacks in 2007-08 and reported a dramatic increase in attacks on government networks last year, is setting up a National Cyber-Defense Center. The U.S. has committed some $30 billion to its cyber-security initiative and created a Cyber Command. South Korea was reportedly able to blunt this month’s attacks because it developed a robust set of countermeasures after cyber-attacks in 2009.
Canada, on the other hand, learned that it is poorly prepared for defending the digital realm. Consider that the contingency plan for continuity of operations after the recent cyber-attacks was ordering thousands of government employees to use home Internet connections or “wireless Internet connections at nearby cafes,” The New York Times reports.
In the age of Stuxnet, web wars, digital invasions and IT commandos, that’s simply not good enough.
Alan W. Dowd writes on defense and security issues.