Cyber War: The Next Threat to National Security and What to Do About It (23 page)

Even if its networks are secure, DoD runs the risk that the software and/or hardware it has running its weapons systems may be compromised. We know the plans for the new F-35 fighter were stolen by hack into a defense contractor. What if the hacker also added to the plans, perhaps a hidden program that causes the aircraft to malfunction in the air when it receives a certain command that could be radioed in from an enemy fighter? Logic bombs like that can be hidden in the millions of lines of code on the F-35, or in the many pieces of firmware and computer hardware that run the aircraft. As one pilot told me, “Aircraft these days, whether it’s the F-22 Raptor or the Boeing 787…all they are is a bunch of software that happens to be flying through the air. Mess with the software and it stops flying through the air.” I thought of the Air France Air
bus that crashed in the South Atlantic because its computer made a wrong decision.

The computer chips U.S. weapons use, as well as some of the computers or their components, are made in other countries. DoD’s most ubiquitous operating system is Microsoft Windows, which is developed around the world on development networks that have proven vulnerable in the past. This supply-chain concern is not easily or quickly solved. It is one of the areas that the 2008 Bush plan focused on. New chip factories, or fabs, are being built in the U.S. Some private-sector companies are developing software to check other software for bugs. In addition to adding quickly to the security of its networks, one of the most important things the Pentagon could do would be to develop a rigorous standards, inspection, and research program to ensure that the software and hardware being used in key weapons systems, in command control, and in logistics are not laced with trapdoors or logic bombs.

So that’s the Defensive Triad strategy. If the Obama Administration and the Congress were to agree to harden the Internet backbone, separate and secure the controls for the power grid, and vigorously pursue security upgrades for Defense IT systems, we could cast doubt in the minds of potential nation-state attackers about how well they would do in launching a large-scale attack against us. And even if they did attack, the Defensive Triad could mitigate the effects. It is admittedly difficult to measure the financial cost of these programs at this point in their development, but in terms of implementation difficulty, they could all be phased in over five years. If implemented with the thought in mind that we want to be able to derive some benefit from the improvements even before they are fully deployed, there could be a steady increase over those five years in the degree of difficulty for a nation-state thinking about cyber war against us. Unless and until this plan or some similar defensive strategy that
includes the private-sector networks is implemented, being in a cyber war would probably not be good news for the United States.

If we do the Defensive Triad, we will have the credibility to say some things that will add further to our ability to deter cyber attack. Sometimes just saying things, things that do not always cost money, can buy you added security, if you have credibility. The capstone of the triad is our “declaratory posture” toward those nation-states that would think about attacking us through cyberspace. A declaratory posture is a formally articulated statement of the policy and intention of the government. We do not have an authoritatively articulated policy today about how we would regard a cyber attack and what we would do in response. Some in the councils of a potential attacker could argue that the U.S. response to a cyber attack might be fairly minimal, or confused.

We do not want to be in a situation similar to what John Kennedy found himself in
after
he discovered that there were nuclear-armed missiles in Cuba. He declared that any such missile fired by anyone (Russian or Cuban) from Cuba toward “any nation in this hemisphere would be regarded as an attack, by the Soviet Union, upon the United States, requiring a full retaliatory response.” Those words were chilling when I first heard them as a twelve-year-old; they remain so today. If the U.S. had said that before the missiles went to Cuba, the Kremlin might not have sent them.

A public declaration about what we would do in case of a cyber attack should, however, not limit future decisions. There needs to be a certain “constructive ambiguity” in what is said. In the event of a major cyber attack, there will likely be an unhelpful ambiguity about who attacked us, and our declaratory policy needs to take that into account as well. Imagine, then, Barack Obama addressing the graduating class of one of the four U.S. military academies, something he will do four times in his first term in office. He looks out on the sea of uniformed new officers and their parents, describes the
phenomenon of cyber war, and then says: “So let me make this clear to any nation that may contemplate using cyber weapons against us. The United States will regard a cyber attack that disrupts or damages our military, our government, or our critical infrastructure as we would a kinetic attack that had the same target and the same effect. We would consider it a hostile act in our territory. In response to such aggression in our cyberspace, I, as Commander in Chief, will draw upon the full panoply of power available to the United States of America and will not be limited as to the size or nature of our response by those characteristics of the attack upon us.”

“Panoply of power” is a presidential phrase. It says he may respond with diplomatic, economic, cybernetic, or kinetic means, as he chooses and as appropriate, taking into account the target and the effect. International lawyers will quibble about the “not be limited” line, noting that defensive responses are supposed by international law conventions to be commensurate with the attack. Suggesting the response might be incommensurate, however, adds to deterrence. In nuclear strategy this idea was called “escalation dominance”—responding to a lower-level attack by moving rapidly up the escalation ladder and then saying that the hostilities must end. It sends the message that you are not willing to engage in some prolonged, slow-bleeding conflict. It is an option that the President must have, whether or not he uses it.

What if, as is likely, the attribution problem occurs and the attacker hides behind the skirts of “citizen hacktivists” or claims the attack merely transited their country, but did not originate there? Anticipating this claim in advance, Obama pauses in his address and then adds, “Nor will we be fooled by claims that a cyber attack was the work of citizen hacktivists or that attribution is uncertain. We have the capability to determine attribution to the degree necessary. Moreover, we reserve the right to consider a refusal to stop, in a timely manner, an attack emanating from a country as the
equivalent of the government of that country engaging in the attack. We will also judge a lack of serious cooperation in investigations of attacks as the equivalent of participation in the attack.”

The Obama Doctrine would be one of
cyber equivalency
, in which cyber attacks are to be judged by their effects, not their means. They would be judged as if they were kinetic attacks, and may be responded to by kinetic attacks, or other means. The corollary is that nations have a
national cyberspace accountability
and an
obligation to assist
, meaning that they would have a responsibility to prevent hostile action coming from servers in their country and must promptly hunt down, shut off, and bring to justice those who use their cyberspace to disrupt or damage systems elsewhere. America would also have these obligations and would have to shut off botnets attacking nations like Georgia from places like Brooklyn. If the Tier 1 ISPs were scanning their networks, the
obligation to assist
would be fairly easy to carry out.

Were Obama or a future President to articulate such a doctrine, the United States would have made clear that it regarded cyber attacks that disrupt or damage things not as a lesser, more permissible form of national action just because they may not result in colorful explosions or in piles of body bags. If the President also adopted something like the Defensive Triad, the U.S. would finally have a credible cyber war defensive strategy.

So, once we have reasonable defenses in place, would we then be able to go on the offensive, using our new cyber warriors to achieve military dominance of cyberspace for the United States of America?

I
n the seminal 1983 movie about computers and war,
War Games
, starring a young Matthew Broderick, the tinny computer voice asked haltingly, “Do you want to play a game of thermonuclear war?” Why don’t we play a game of cyber war in order to elucidate some of the policy choices that shape a strategy. DoD runs such exercises, called Cyber Storm, annually. The CIA’s annual cyber war exercise, Silent Horizon, has been happening since 2007. For the purposes of this analysis, I’ll make the same request of you that I made of students at Harvard’s Kennedy School and national security bureaucrats sitting around the White House Situation Room conference table: “Don’t fight the scenario.” By that I mean, do not spend a lot of time rejecting the premise that circumstances could happen someday that would result in the U.S. being on the edge of conflict with Russia or China.

When U.S. cyber warriors talk about the “big one,” they usually have in mind a conflict in cyberspace with Russia or China, the two nations with the most sophisticated offensive capability other than the U.S. No one wants hostilities with those countries to happen. Thinking about it, for the purposes of understanding what cyber war would look like, does not make it more likely. In fact, by understanding the risks of our current cyber war posture, we might reduce the chances of a real cyber war. And if, despite our intentions, a cyber war does happen, it would be best to have thought in advance about how it could unravel.

Certainly, I did not want to see the attack of 9/11 happen, but I had chaired countless “tabletop exercises,” or war game scenarios, to get myself and the bureaucracy ready in case something like it did happen. When it came, we had already thought through how to respond on the day of an attack and the few days thereafter. We spent enormous effort to try to prevent attacks, but we also devoted some time to thinking about what we would do if one succeeded. Had we not done so, that awful day would have been even worse. So, in that spirit of learning by visualizing, let’s think about a period of rising tensions between the U.S. and China.

Let’s call it Exercise South China Sea and set it a few years in the future. Not much has changed, except China has increased its dependence on the Net somewhat. For its part, the U.S. has not done much to improve its cyber defenses. We will have three teams, U.S. Cyber Command, the Chinese People’s Liberation Army (PLA) Cyber Division, and the Controllers, who play the part of everyone else. The Controllers also decide what happens as a result of the other two teams’ moves. Let’s say for the sake of the exercise that China has been aggressively pressing Vietnam and other ASEAN (Association of Southeast Asian Nations) countries to cede their rights to a vast and rich undersea area of gas and oil fields. (China
has, in fact, claimed waters that run hundreds of miles to its south, along the coasts of Vietnam and the Philippines.) We will stipulate that there have been small clashes between their navies. In an irony of history, we will say that the government of Vietnam has asked the U.S. for military support, as have other nations in the region with claims on the contested waters. In response, the President has authorized a joint U.S.-ASEAN naval exercise and has dispatched two U.S. carrier battle groups, about twenty ships, including about 150 aircraft and several submarines. China and the U.S. have exchanged diplomatic notes and public pronouncements, with both countries essentially saying that the other one should stay out of the issue. American cable news networks have at this point started showing dramatic slides with the words “South China Sea Crisis.”

As our hypothetical exercise opens at Fort Meade, the team playing Cyber Command has been ordered by the Pentagon to prepare a series of steps it could take as the political situation escalates. The order from the Secretary of Defense is to develop options to:

In this situation, the team playing Cyber Command in the tabletop exercise faces a dilemma. They do not want to expose all of the cyber attack techniques, or “exploits,” that they have developed. Once an exploit is used, cyber defenders will devote the time and energy necessary to figure out how to block it in the future. While the defenders will not fix all of the systems that could be exploited, they will patch enough of the important systems that the attack technique will have lost much of its potency. Thus, Cyber Command will want to withhold its most clever attacks. If they wait, however, the Chinese may have done things that make it far more difficult for the U.S. to execute cyber attacks.

As tensions begin to mount, China will reduce the flow of packets into China and will scan and filter for possible U.S. attacks the ones it permits in. Then it may drop connectivity to the outside world altogether. If the U.S. has not already launched its cyber attack, it will be much harder to get around the Great Firewall of China. Cyber Command will have to have created, in advance, tunnels into Chinese cyberspace, perhaps by hiding satellite telephones in China to download attacks and insert them into the Internet behind the Wall. Or perhaps Cyber Command will, working with CIA, have placed agents inside China with the attack tools already on their laptops.

If the U.S. waits to use its best weapons, China may make it difficult to launch an attack from U.S. cyberspace by confusing or crashing our cyberspace and Internet backbone. Scrambling data on the highest-echelon servers of the Domain Name System, which provides the Internet addresses of websites, or doing so on the routing tables (the Border Gateway Protocol lists) of the Tier 1 backbone providers will disrupt U.S. cyberspace for days. The effect would be to send traffic more or less randomly to the wrong place on the Internet. As noted in chapter 3, very little prevents this from happening now since these software programs that make the Internet run
do not require that there be any checking to see if the commands issued are authentic.

If the Chinese could get agents into the big windowless buildings where all the Tier 1 ISPs link to each other, the so-called peering points, or into any place on the Tier 1 ISP networks, they could possibly issue commands directly to the routers that do the switching and directing of traffic on the Internet and in the rest of cyberspace. Even though DoD and U.S. intelligence agencies have their own channels in cyberspace separate from the public Internet, their traffic is likely to be carried on the same fiber-optic cable pipes as the public Internet. The public Internet may just be a different “color” on the same fiber or maybe a different fiber in the same pipe. Chances are that there are many places where the DoD and intelligence-agency traffic is running through the same routers as the public Internet. As discussed earlier, China is very familiar with the routers. Most of them are made by the U.S. firm Cisco, but made in China.

All of that Chinese potential to disrupt the Internet and stop the U.S. from being able to send cyber attacks out means that the Cyber Command team has an incentive in the early stages of a crisis to store their attacks on networks outside of the U.S. Of course, doing so broadens the global involvement in the pending cyber war.

To begin operations, the team playing Cyber Command decides to signal their involvement with the hope of deterring China from engaging in further military operations. The act that Cyber Command conducts must be deniable publicly, but Chinese authorities must know it was no accident. The signal must demonstrate an ability to do things that are technically hard and which are significant enough for the Chinese leadership to notice, but without being so damaging as to provoke a full-scale cyber war.

Having hacked their way into the closed Chinese military intranet, they send around to senior officers a doctored picture of China’s one aircraft carrier, but in this Photoshopped version the
ship is in flames and sinking. The not-so-subtle message is that the pride of China’s navy, its one carrier, could easily be sunk by the 7th Fleet, causing great loss of face to the Chinese military; maybe it’s better not to get into what could prove to be such an embarrassing fight.

U.S. intelligence then learns that the Chinese are loading up their South Sea Fleet for an amphibious landing on disputed islands in the South China Sea. Cyber Command is asked by the Pentagon to buy some time, to slow down the Chinese landings by disrupting the troops and supplies getting ready to load up on the ships still in port. The Chinese South Sea Fleet is headquartered in Zhanjiang, on the Leizhou Peninsula, and its air force supporting operations in the South China Sea is on Hainan, in the Tonkin Gulf. The Fleet Headquarters and the Naval Air Base do not have their own electric grid; they are connected to the public power system. They do not have their own large generators, just smaller emergency backup units.

Using its subordinate unit, the 10th Fleet, Cyber Command utilizes a preexisting trapdoor in the Chinese power grid and accesses the local electric grid’s controls. Once in the control system, they issue signals that cause surges, tripping breakers that shut down transmission and stop generators. The Americans do not cause the generators or transformers to damage themselves.

The team playing China in our hypothetical exercise realizes that the blackout was caused by an intrusion and orders a trace on the attack. It is traced back to an ISP in Estonia, where the trail goes cold. No one in Beijing would think a hacker in Estonia is the real attacker. Thus the signal is sent, but in a deniable way. The signal does get the Chinese team’s attention. They are informed that the blackout on the Leizhou Peninsula tripped a cascade that knocked out all of Guangdong (formerly Canton) Province, leaving slightly more than a hundred million Chinese in the dark for almost twenty-
four hours. Hong Kong was also affected. The Politburo considers the blackout an escalatory step and asks the team playing the cyber warfare division of the PLA for options to respond.

The PLA team recommends China respond in a somewhat commensurate manner, going after cities with Navy bases, but they want to do more as well, to send the U.S. the message that they can hurt us more than we can hurt them. The Politburo approves all six steps proposed by their cyber warriors:

1. ordering the South Sea Fleet reinforced and moving more aircraft to Hainan and the southern coast airfields;
   
2. directing the Chinese submarine squadron at Yulin, on Hainan Island, to go to sea;
   
3. activating logic bombs already planted in the power grids in Honolulu, San Diego, and Bremerton, in the state of Washington, three cities where much of the U.S. Pacific Fleet is located (and although the Chinese do not know it, the blackouts will extend into Tijuana, Mexico, and up to Vancouver, British Columbia);
   
4. disrupting the unclassified DoD network by launching a new, never-before-seen worm (a Zero Day exploit) that infects one machine after another and causes their hard drives to be erased (the attack is launched from inside the DoD intranet);
   
5. attacking the Estonian ISP from which the attack on the Chinese power grid appears to have originated; and
   
6. causing a power blackout in Yokosuka and the surrounding area in Japan where the U.S. 7th Fleet is headquartered.
   

At the beginning of the next move in the exercise, with tensions escalating, Cyber Command is informed that China is about to stop Internet traffic from the outside world. The Fort Meade team, therefore, proposes to the Pentagon that it be authorized to launch two more waves of cyber attack and be prepared to launch a third. The two attacks would be on the Chinese air defense network and on the national military command control system. These attacks would use highly secret exploits and activate logic bombs already planted in these networks. In the wings would be a broad attack on the Chinese rail network, air traffic control, the banking system, and the hardware of the power grid (generators and transformers).

Somewhat to their surprise, the Cyber Command team receives instructions from the Control Team playing the White House and Pentagon to avoid attacks on the military command and control system and on defensive weapons like air defense. The Cyber Command planners are also told to avoid both the air traffic control system and the banking sector.

As the Cyber Command team is reformulating its next move, databases at the Security Industries Automation Corporation and the Deposit Trust in New York are reported to be seriously damaged and corrupted. Data has also been badly scrambled at CSX, Union Pacific, and the Burlington Northern Santa Fe railroads, as well as at United, Delta, and American Airlines. As a result, the New York Stock Exchange has closed, freight trains have stopped, and aircraft are sitting at gates across the country. The Defense Information Systems Agency, which runs DoD’s internal networks, declares an emergency because both the secret-level SIPRNET and the top-secret JWICS networks have been disrupted by fast-spreading worms that are crashing hard drives. None of these attacks originated overseas, and therefore U.S. intelligence and Cyber Command did not see them coming and could not stop
them before they got to the U.S. The attacks appear to have used new, not previously employed techniques, and thus Cyber Command was unable to block them by scanning for the signatures of past attacks.

With attacks on Chinese air defense, banking, national military command and control, and air traffic control ruled out by higher authorities, the team playing U.S. Cyber Command has fewer options than it thought it would. Moreover, because U.S. Cyber Command has a defensive role in protecting DoD networks, some of the team members are removed to deal with the worms working their destructive path through the Defense Department. In light of the significant escalation that the Chinese team utilized in its first move, the U.S. team opts to launch a nationwide power blackout in China, including targeted attacks to damage several large generators. At the same time, they will try to cause a maximum number of freight-train derailments and jumble the database of the rail system. To replace the military targets that have been ruled out by their superiors, the U.S. team decides to attack the communications satellite used by the Chinese navy and the navy’s logistics network.