The European Union is proposing a treaty to “protect the web from political interference.” In a similar vein, a group of 15 countries, including the United States, has pledged to begin cooperating to reduce attacks on, and threats to, their computer networks. According to _The Washington Post_, the group is calling on the UN to “create norms of accepted behavior in cyberspace, exchange information on national legislation and cybersecurity strategies, and strengthen the capacity of less-developed countries to protect their computer systems.” An unnamed Obama administration official calls the UN plan “a step forward.” But given that two of the countries involved in issuing this pledge of cyber-cooperation are Russia and China—each guilty of some of the most egregious cyber-assaults to date—it’s unlikely that much will come from the UN’s plan for cyber-peace.
We caught a glimpse of a much more likely source of peace in cyberspace, perhaps not coincidentally, just a few weeks after the UN announced its plan. The Pentagon, at long last, has been given a green light to treat cyberspace like any other military domain and is developing capabilities to “deceive, deny, disrupt, degrade and destroy” enemy information systems.
“We have to have offensive capabilities, to, in real time, shut down somebody trying to attack us,” according to Gen. Keith Alexander, who leads the Pentagon’s nascent Cyber Command.
Deputy Secretary of Defense William Lynn calls this a “fundamental shift in the U.S. approach to network defense.”
Not only does Lynn want the U.S. to defend its swath of cyberspace; he wants NATO to apply the principles of collective defense to cyberspace. “The Cold War concepts of shared warning apply in the 21st century to cyber-security. Just as our air defenses [and] our missile defenses have been linked, so too do our cyber defenses need to be linked as well,” he argues, urging NATO to take “decisive action to defend its networks.”
NATO knows the dangers, especially NATO member Estonia.
Estonia weathered what some call “Web War I” in 2007, when Russian nationalists unleashed a volley of “distributed denial of service” attacks that crashed networks across the country. The attacks targeted key government websites, newspapers, the mobile-phone network, the country’s 911 equivalent and the country’s largest bank.
The cyber-salvos hit Estonia especially hard because the tiny Baltic country—dubbed “e-Stonia”—is one of the most web-dependent places on earth.
Estonian president Toomas Hendrik Ilves has suggested that NATO may need to upgrade its 20th-century defense commitments in light of this 21st-century threat. “Cyber-attacks are a form of offensive action that can paralyze, weaken, harm a nation-state,” he argues.
Indeed, whether or not the Russian government was behind the cyberwar—call it “WWWI”—Estonia thought so, which opened the door to far graver consequences: If Estonia had invoked NATO’s Article V—“an armed attack against one…shall be considered an attack against them all”—the result could have been an old-fashioned war.
Estonia isn’t the only country to come under cyber-assault. U.S., German, Japanese, Israeli, British and Georgian networks have come under cyber-attack from various sources, as have dozens of other allied nations.
If Russia’s cyber-attacks on Estonia in 2007 and Georgia in 2008 were intended to intimidate and confuse, China’s attacks are aimed at stealing and probing.
According to Hans Elmar Remberg of Germany’s Office for the Protection of the Constitution, “The People’s Republic of China is intensively gathering political, military, corporate-strategic and scientific information in order to bridge their technological gaps as quickly as possible.”
In June 2007, for instance, the Pentagon was forced to disable email systems that serve the Office of Secretary of Defense, after it was discovered that the PLA had hacked into the system. The U.S.-China Economic and Security Review Commission reports that Chinese hackers have planted computer components with codes that could be activated to steal or destroy data; penetrated computer systems at U.S. defense firms, the White House, State Department and NASA; and attacked government ministries in Europe, Japan, India, Taiwan, South Korea and Australia.
According to the U.S. government’s 2009 National Intelligence Strategy, “the architecture of the nation’s digital infrastructure…is neither secure nor resilient.” That puts America’s wired military and networked physical infrastructure at risk. With a few keystrokes, someone could throw America’s high-tech society back to pre-industrial days.
Before scoffing at that possibility, consider this: The British government worries that utilities-network upgrades carried out by the Chinese telecom firm Huawei may have given Beijing the ability to shut down essential services.
On the military side, Alexander explains that “maintaining freedom of action in cyberspace in the 21st century is as inherent to U.S. interests as freedom of the seas was in the 19th century, and access to air and space in the 20th century.”
And the best tool for assuring freedom of action in cyberspace is not some UN treaty or EU conference, but rather the U.S. military.
To assist the war-fighters in their mission, it would be helpful for the policymakers to let it be known that the U.S. will view a cyberattack on critical infrastructure in the same way as a traditional military attack. It’s worth noting that Russian military officials openly argue that “the use of information warfare against Russia or its armed forces will categorically not be considered a non-military phase of a conflict, whether there were casualties or not.”
To be sure, there’s a place for diplomatic discussion. Washington might consider a “no first use” pledge for cyberspace with any government that promises the same, keeping in mind that in the digital world, as in the real world, actions speak louder than words.
Alan W. Dowd writes on defense and security issues.
Leave a Reply