Cyber War: The Next Threat to National Security and What to Do About It (26 page)

The U.S. decision to withhold attacks narrowly targeted on the financial sector also reflects an understanding that the United States might be the biggest loser in a cyber war aimed at banks. Even
though the financial services sector is probably the most secure of all of the major industry verticals in the U.S., it is still vulnerable. “We’ve tested the security at more than a dozen top U.S. financial institutions, as hired consultants, and we’ve been able to hack in every time,” one private-sector security consultant told me. “And every time, we could have changed numbers around and moved money, but we didn’t.”

The existing U.S. policy does not prohibit hacking into foreign banks to collect intelligence, but it does create a very high hurdle for altering data. Both the Secretary of the Treasury and the Secretary of State have to personally authorize such an action. As far as I was able to determine from my sources, that approval has never been granted. We have, in effect, what in nuclear war strategy we called a “withhold target set,” things that we have targeted but do not intend to hit. That policy assumes, or hopes, that opponents will also play by those unarticulated rules. In Exercise South China Sea, the PLA team did not. In its last move it hit the databases of the stock market and the major bank clearing house. That was a dramatic and, we hope, unrealistic escalation. Today China’s economy is so tightly connected to America’s that they, too, might have a withhold doctrine affecting the financial sector. Under foreseeable circumstances, it is maybe an acceptable risk to assume that nations will all withhold data-altering attacks on the financial sector, though some U.S. analysts would dispute that about China.

Because a sophisticated nonstate actor might not be so polite, it would be important for the U.S. financial sector to have an advance understanding with the federal regulators about what they would do if there were a major hack that altered data. Certain European and Japanese institutions should probably also be discreetly consulted about the policies they would use to reconstruct who owns what after a major data-altering breach. The Federal Reserve Bank and the Securities Industry Automation Corporation, among other
financial database operators, have extensive off-site backup systems. Key to their being prepared to fix a data-altering breach is the idea that there is data with a recent picture of “who owns what” that is unlikely to be altered by a cyber attack. With the agreement of the federal regulators, banks and stock markets could revert to a prior date to recover from a data-altering breach. Some people would be hurt and others enriched by such a decision and it would be the subject of litigation forever, but at least the financial system could continue to operate.

China’s air traffic control (ATC) system was also placed on a withhold list in the exercise. As the U.S. modernizes its ATC, making it more network dependent, the system is likely to become only more vulnerable to cyber attack. Already with the older system, the U.S. has experienced instances where individual airport towers and even specific regional centers have been blacked out for hours because of computer or communications connectivity failures. As far as we know, none of these major outages was caused by hacking. (There is one case of an arrest for hacking into the FAA system, but the effects of the attack were minor.)

Nonetheless, the potential for someone altering data and causing aircraft to collide in midair has to be considered. The U.S. is a party to the Montreal Convention, which makes an intentional attack on a civilian airliner a violation of international law. Of course, almost all hacking is a violation of some national and/or international law, but the Montreal Convention is an articulation of the general global sentiment that certain kinds of actions are beyond the pale of acceptable conduct.

Hacking into the flight controls of an aircraft in flight is probably also becoming more feasible. The Federal Aviation Agency raised concerns with Boeing that plans for the new 787 Dreamliner called for the flight control system and the elaborate interactive passenger-entertainment system to use the same computer network. The FAA
was concerned that a passenger could hack into the flight control system from his seat, or that live Internet connectivity for passengers could mean that someone on the ground could hack into the system. The airlines’ own systems already create a data connection from the ground to some aircraft’s computer networks. The computer networks on a large passenger aircraft are extensive and play a significant role in keeping the aircraft in the air.

In modern “fly-by-wire” aircraft, it is the flight control system that sends a computer signal to a flap, aileron, or rudder. The Air France crash over the South Atlantic in 2009, mentioned earlier, revealed to a wider audience what pilots have known for years: in modern fly-by-wire aircraft, onboard computers decide what signals to send to the control surfaces. Under certain circumstances, the software can even override the decision of a pilot to prevent the manual controls from making the aircraft do something that would cause it to stall or go out of control. As that recent Air France crash also demonstrated, the aircraft’s computers were firing off messages back to the Air France headquarters’ computers without the pilot being involved. As with the ATC system, the computer networks of commercial passenger aircraft should probably also be off limits. Military aircraft are, however, likely to be considered fair game.

Had the Cyber Command team asked the Controllers for permission to attack the reservations and operations network of Chinese airlines, they may have gotten a different answer. In the real world, computer crashes at U.S. and Canadian airlines have kept hundreds of aircraft grounded for hours at a time. The aircraft worked and there were crews available, but without the reservations database and the operational network up and running, the airlines did not know what crew, passengers, cargo, or fuel load should go on what planes. The airlines, like so many other huge business systems, no longer have manual backup systems that are sufficient to create even minimal operations.

There may be other withholds, in addition to banking and commercial aircraft. In the exercise, two of the networks that Cyber Command was told not to strike were China’s military command and control network and their air defense system. Since those are purely military targets, why were they spared?

6. ESCALATORY CONTROL

During the Cold War, I often participated in exercises in which teams of national security officials were secretly hustled out of Washington on short notice to obscure, covert locations. Once at our destinations, the teams did exactly what the
War Games
movie computer suggested. We played thermonuclear war. These were massively depressing experiences, since the “game reality” we had to accept was that millions of people had already died in a nuclear exchange. Our job was almost always to finish the war and begin the recovery.

The most difficult part of finishing the war usually turned out to be finding who was still alive and in control of the military on the other side. What survivor was in command of Soviet forces, and how do we talk to him without either of us revealing our hidden locations? Part of the problem that the game controllers deviously planned for us sometimes was that the guy with whom we were negotiating war termination did not actually have control over some element of the surviving Soviet force, for instance, their nuclear missile submarines. What we learned from these unpleasant experiences was that if we eliminate the opponent’s command and control system, then he has no way to tell his forces to stop fighting. Isolated local commanders, cut off from communications with higher echelons, or not recognizing the authority of the surviving successor, made their own decisions, and often it was to keep fighting. It was the nuclear war equivalent of those lone Japanese fighters who kept
turning up on remote Pacific isles in the 1950s, unaware that the Emperor had years before ordered them to surrender.

There may be a parallel in cyber war. If a cyber attack eliminates a military command and control system, it could be difficult to prevent or terminate a kinetic war. In most militaries authority devolves to the local commander if he cannot get in touch with his superiors. Even if the command system is still operating, if the local commander believes that the system has been taken over by an opponent who is now issuing false instructions, command probably devolves to the local general until he can ascertain that he is in reliable communications with a valid superior. This is the situation so vividly portrayed in the movie
Crimson Tide
, where the U.S. nuclear submarine commander received and authenticated an order to launch nuclear missiles and then received an order to stop. Unable to authenticate the order to stop the attack, and fearing that it was a bogus order somehow sent by the Russians, the captain believes that procedures require him to launch.

The conclusion that we came to repeatedly in the nuclear war games was that it was probably an error to engage in a “decapitating strike,” one that made it impossible for the leadership to communicate with us or with their own forces. In cyber war, it may be desirable to cut off certain units from higher command, or to deny an opposing force access to intelligence about what is going on. But in choosing what units to cut off, one needs to keep in mind that severing the command link to a unit runs the risk that it will launch an attack on its own. Thus, cyber attacks should probably be carefully constructed so that there is still a surviving communications channel for negotiations and a way in which the leadership can authoritatively order its forces to stop fighting.

The exercise’s Control Team also denied Cyber Command the authority to strike at air defense networks. The rationale for that kind of withhold at that point in hostilities is “escalatory control.”
In his 1965 masterpiece of military strategy,
On Escalation
, Kahn argued that if your goal is war termination short of the total destruction or forced surrender of the opponent, you can signal that by what you strike and what you withhold. You may want to signal that you have limited intentions so that the other side does not assume otherwise and proceed as if it has nothing to lose.

There are cyber war corollaries to escalation control. A cyber attack on a nation’s air defense system would lead that country’s leadership to the logical conclusion that air attacks were about to happen. In Exercise South China Sea, there were U.S. aircraft carriers nearby. If the Chinese military thought that those carriers were getting ready for air strikes on China, they would be right to take preemptive steps to sink the carriers. So, a cyber attack on the air defense network could have caused the beginning of a kinetic war that we were seeking to avoid. Even an attempted penetration of that network to lay in trapdoors and logic bombs might have been detected and interpreted as a prelude to imminent bombing. So just getting into position to launch a cyber attack would have sent the wrong message in a crisis, unless those steps had been taken well in advance.

Herman Kahn, Thomas Schelling, William Kaufmann, and the other “Wizards of Armageddon” spent a lot of time thinking about how to control nuclear escalation, from the tensions leading up to a crisis, to signaling, to initial use, to war termination. Initially the nuclear strategists saw war moving slowly up the escalatory ladder, with diplomatic attempts being made at every rung to stop the conflict right there. They also discussed what I referred to earlier, “escalation dominance.” In that strategy, one side says, basically, “We don’t want to play around with low-grade fighting that will gradually get bigger. If you want to fight me, it’s going to be a big, damaging fight.” It’s the warfare equivalent of going all-in on a hand in poker and hoping your opponent will give up rather than risk all of his chips. Except that there is one big difference:
in escalation dominance you are actually jumping several rungs up the ladder and inflicting serious damage on the other side. You accompany that move with the threat that you can and will do more significant damage unless it all stops right here, right now.

The fact that you have done that damage to them may cause the opponent to feel compelled to respond in kind. Or, if you have a highly rational actor on the other side, they’ll understand that the stakes are getting too high and they stand to suffer even more serious losses if things continue. In Exercise South China Sea, the PLA decided to engage in escalation dominance. In response to a cyber attack on the power grid in southeastern China, they not only hit the West Coast power grid, they disrupted the global Defense Department intranet, damaged the databases of U.S. financial clearinghouses, and sent additional kinetic warfare units into the crisis zone in the South China Sea.

As the game continued, the U.S. leadership had to decide quickly whether it stood to lose more than China in the next round of cyber war escalation. America would have been at a disadvantage, because it stood to lose more in an ongoing, escalating cyber war. It therefore sought a quick diplomatic settlement. Escalation dominance was the right move for China in this game because that escalation showed that the U.S. was more susceptible to cyber attacks and that further escalation would only make matters worse for the U.S. team. The U.S. could have tried to block cyber traffic coming from China. But because the Chinese attacks were originating inside the U.S., and there was not yet a deep-packet inspection system on the Internet backbone, the next, larger, Chinese cyber attack would have been very difficult to stop.

Put more simply, if you are going to throw cyber rocks, you had better be sure that the house you live in has less glass than the other guy’s, or that yours has bulletproof windows.

7. POSITIVE CONTROL AND ACCIDENTAL WAR

The issue we discussed above, of maintaining some means for the opponent to exercise command and control, raises a similar issue, namely: Who has the authority to penetrate networks and to use cyber weapons? Earlier in this chapter I suggested that it may require the approval of multiple Cabinet members to alter banking data, and yet we are not sure that the President knows that the U.S. may have placed logic bombs in various nations’ power grids. Those two facts suggest that there is too much ambiguity regarding who has what authority when it comes to cyber war, including preparation of the battlefield.