As I See It: The Next Big (Destructive) Thing
February 11, 2013 Victor Rozek
If you’re an unemployed software engineer, I have good news and bad news for you. There are people hiring, but they go by the name of Al Qaeda. Welcome to the worm-eat-worm world of Cyber Warfare. It is the Next Big Military Thing, and everybody is gearing up to smite their godless foes without firing a shot. According to Jeffrey Carr, head of the digital security firm Taia Global, and author of Inside Cyber Warfare, Al Qaeda released a video last year in which they recruited hackers to better attack critical infrastructure. You have to wonder what inducements they were offering?
A pleasant cave in Pakistan with cold running water and WiFi, plus a guaranteed death benefit? And what if you interview and they don’t like you. Do you still get the death benefit? There are worse things than being unemployed.
Until recently, cyber warfare has been limited to acts of disruption and annoyance. India and Pakistan play digital tag, Israel routinely hacks its angry neighbors, the Russians have created a criminal hacking empire, and the Chinese hack everybody. But Defense Secretary Leon Panetta ratcheted up the hysteria when he warned of a possible “cyber Pearl Harbor.” It conjures up absurd images of charred supercomputers and dead programmers at the bottom of a Hawaiian lagoon, but politicians toss out grand analogies when they want to generate fear and funding. (Have we forgotten Saddam Hussein’s imaginary weapons of mass destruction?)
America’s official entry into the digital fray can be traced back to May 2010, when the Pentagon set up its new U.S. Cyber Command, an idea no doubt vigorously encouraged by computer manufacturers. It was preceded a few months earlier by President Obama’s declaration that America’s digital infrastructure should be considered “a strategic national asset,” and therefore apparently eligible for militarization.
What Secretary Panetta and the President are too shy and modest to admit openly is that the U.S. has been conducting its own digital acts of undeclared war. And rather successfully, if you were to find an Iranian to admit it. The operation was code-named “Olympic Games,” and its star athlete was a computer worm called Stuxnet. It infected the Iranian nuclear fuel enrichment plant at Natanz and damaged centrifuges designed to enrich uranium. Perhaps it was launched to placate the Israelis in the hope of delaying the prospect of military action. Perhaps it was done to calm the frothing neocons, who just can’t seem to get enough of war. Perhaps we did it just because we could. But whatever the reason, Carr notes that “nobody had ever launched that kind of targeted cyber attack before.”
Iran, which has become something of a digital punching bag, was also the target of a virus called Flame. This one could “record video or voice calls, monitor Bluetooth access, copy data, or erase all data on a server.” It subsequently spread to a half dozen nations and is reported to have code similarities to its destructive cousin Stuxnet. From which we can conclude that if it didn’t originate from the same source, it was at least created in collaboration with that source.
For its part, Iran appears to have taken some of its frustration out on the Saudis. Saudi Aramco, the oil giant, was the victim of a large scale attack that “involved about 30,000 workstations and 2,000 servers.” All the hard drives were trashed and had to be replaced. One theory is that this was Iran’s subtle way of asking the Saudis “not to increase their oil production.” Alternately, they could just drive less.
The ability to cripple a nation’s power grids, financial systems, communications networks, and military infrastructure without armed intervention is indeed Olympian is its god-like power. And in a country that once prided itself on being a nation of laws, our designated Zeus is none other than President Zeusbama himself. According to The New York Times, a “secret legal review” of cyber warfare rules granted President Obama “sweeping powers” to order preemptive cyber-strikes on any country he wakes up not liking, even if hostilities have never been officially declared.
The specifics are, as usual, classified, which is problematic because secret law is no law at all. If no one knows the rules, there are effectively no rules. Without checks and balances, without accountability and oversight, the conditions under which cyber warfare may be enjoined are added to a troubling body of secret edicts that already govern preemptive drone strikes and targeted assassinations.
The justifications for extra-legal activities are often fabricated by Justice Department lawyers who author memos full of tortured logic (no pun intended) to justify what the Constitution prohibits. Think of it as a modern version of the Nuremburg Laws, not aimed at a specific minority, but at anyone or any nation on the planet that displeases us.
The problem is that the framers could not have envisioned a world of hedge funds, global networks, and Lady Gaga. As yet, no body of laws exists to cope with the full complexities of the information age. China, India, Iran, North Korea, Pakistan, Russia, Israel, and the United States are just some of the nations believed to have developed their own cyber warfare doctrines and information warfare units. Carr details several war/revolution scenarios in which cyber warfare has already played a part. They include the 2008 Russian/Georgian conflict; the 2008-2009 Israeli attack against the Palestinian Authority and Hamas, the Tulip Revolution in Kyrgyzstan; and the Jasmine Revolution in Tunisia.
But it began as early as 1999 during the Kosovo War. A NATO jet dropped a bomb on the Chinese embassy in Belgrade. Publicly, the U.S. was extremely apologetic, and called the incident an unfortunate error. But Carr claims it was attacked because the Chinese were providing communications support for the Yugoslav army. “Less than 12 hours later, the Chinese Red Hacker Alliance formed up and retaliated by launching thousands of cyber attacks against U.S. government websites.” We can assume that the web sites fared better than the embassy.
To complicate matters, inter-government hostilities don’t include the agendas of non-state players: terrorist groups, industrial espionage operations, revolutionaries, hacktivist groups like Anonymous, and even the occasional genius who just wants to test himself against the world’s best digital defenses. Hostile governments do not have to soil their digital digits in order to create mayhem; sponsorship of cyber attacks is sufficient, pervasive, and difficult to trace.
Plus, a cyber attack can be effective without taking down the entire Internet–an unlikely scenario under any circumstances. Certainly, unprotected networks are at risk. Data tables can be compromised, communications degraded, commerce can be interrupted, financial systems can be infected, and critical infrastructure–such as transportation and medical or emergency services–can be impaired. In other words, disruption is more likely than destruction, but as more and more of our systems become fully computerized, and interconnection becomes ever more the norm, the level of disruption has the potential to be truly stunning.
We know that a great deal of sensitive and proprietary data is regularly stolen or compromised. Much more than is reported, since no one wants to advertise security breaches. But cyber crime is transitioning into the realm of warfare where profit is secondary to causing harm. Under those circumstances, offensive capability has more strategic value than defensive capacity.
Absent legal guidance, ordering preemptive strikes requires exceptional discernment. Like waking up to find your neighbor’s house has been spray-painted with graffiti: do you really want to wait until your home is defaced before taking action? You can be pretty sure one of the neighborhood kids did it, but which one? And can you punish him directly, or must you punish his entire family? And if you punish the family, what are the ramifications?
Buckle up. It promises to be a bumpy ride.