Cyber War: The Next Threat to National Security and What to Do About It (32 page)

The notion contained in the “arsonist principle” is one that can be applied to cyber war. While we talk about cyberspace as an abstract fifth dimension, it is made up of physical components. These physical components, from the high-speed fiber-optic trunks, to every router, server, and “telecom hotel,” are all in sovereign nations, except perhaps for the undersea cables and the space-based relays. Even they are owned by countries or companies that have real-world physical addresses. Some people like to contend that there is a “sovereignty problem” on the Internet, that because no one owns cyberspace in its entirety, no one has any responsiblility for its integrity or security. The arsonist principle, articulated in an international agreement as National Cyberspace Accountability, would make each person, company, ISP, and country responsible for the security of their piece of cyberspace.

At a minimum, countries like Russia could no longer claim that they have no control over so-called patriotic hacktivists. An international agreement could hold host governments responsible either for stopping these hackers from participating in illegal international activities, or at least requiring nations to make their best effort to do so. In addition to their own police activities, a nation that is party to an international agreement might have an
obligation to assist
. Such an obligation could require them to respond quickly to inquiries in international investigations, seize and preserve server or router records, host and facilitate international investigators, produce their citizens for questioning, and prosecute citizens for specified crimes.

The existing 2001 Council of Europe Convention on Cyber Crime already incorporates many of these obligations to assist. The United States is a party to the convention. Our sovereignty is not being infringed upon by some supranational Olde Europa bureaucracy. Rather, by signing the convention, the U.S. is promising to pass any new legislation necessary to provide the U.S. government with the authority to do the things necessary to meet the obligations in the agreement.

Going beyond the current cyber crime convention, however, a cyber
war
convention could make nations responsible for ensuring that their ISPs deny service to individuals and devices participating in attacks and report them to authorities. Such a provision would mean that ISPs would have to be able to detect and “black-hole” major worms, botnets, DDOS attacks, and other obvious malicious activity. (Some of this process of identifying malware is something far less difficult than deep-packet inspection and can be done largely by something called “flow analysis,” which really means nothing more than watching how much traffic is moving on the network and looking for unusual spikes or patterns.) If a nation did not successfully compel an ISP into compliance, the international agreement could establish a procedure that transferred responsibility to
other nations. An ISP could be internationally black-listed. All participating nations would then be required to refuse traffic going to or from that ISP until it complied and stopped the botnets or other obvious malware.

Such an international agreement would deal with a portion of the attribution problem, by shifting responsibility. Even if the attacker could not be identified, at least there would be someone who could be held responsible for stopping the attack and investigating who the attacker was. Such an obligation would not require most nations to add new cyber forensics units. Nations like China and Russia have the ability now to identify and move quickly against hackers. As Jim Lewis of the Center for Strategic and International Studies has said, “If a hacker in St. Petersburg tried to break into the Kremlin system, that hacker could count the remaining hours of his life on one hand.” You can be sure that the same is true for anyone in China trying to hack the People’s Liberation Army network. If China and Russia signed a cyber war agreement with obligations like the ones suggested here, those governments could no longer blame their citizens for DDOS attacks on other nations and then stand back and do nothing. Failure to act promptly against citizen hackers would result in the nation itself being held in violation of the agreement and, more important, in other nations disconnecting all traffic from the offending ISPs. Nations could black-hole such rogue traffic from other countries now, but in the absence of a legal framework, they are reluctant to do so. An agreement would not only permit nations from blocking such traffic, it would require them to do so.

A National Cyberspace Accountability provision and its corollary Obligation to Assist would not completely solve the attribution problem. The Russian botnet attack could still come from Brooklyn. The Taiwanese hacker sitting in the San Francisco cyber café could still attack a Chinese government website. But under such an agreement the U.S. would have to stop the botnet and actively
investigate the hacker. In the case of a hypothetical Taiwanese agent hacking into Chinese networks in violation of an international agreement, the U.S. government, when notified by China of such activity, would have to task the FBI or Secret Service to help the Chinese police track down the culprit in San Francisco. If he was found, he could be tried in a U.S. court for violation of U.S. law.

Of course, nations may say that they are looking for hackers and not be. They may try culprits and find them not guilty. When notified of a botnet originating on an ISP in their country, nations may take their sweet time doing something about it. To judge whether a nation is actively complying or is just being passive-aggressive, it may be useful if a cyber war agreement created an “International Cyber Forensics and Compliance Staff.” The staff of experts could make reports to member states on whether or not a nation is acting in the spirit of the agreement. There could be international inspection teams, similar to those under the nuclear nonproliferation agreement, the chemical weapons ban, and the European security and cooperation agreement. Such teams could be invited in by signatory nations to assist in verifying that a cyber war attack had occurred in violation of the agreement. They could help determine what nation had actually launched the attack. The international staff might also, with the voluntary cooperation of member states, place traffic-flow monitoring equipment at key nodes leading into a nation’s networks to help detect and identify the origin of attacks.

The international staff might also run a center that nations could contact whenever they believed they were coming under a cyber war attack. Imagine that an Israeli network is hit with a botnet DDOS attack from an ISP in Alexandria, Egypt, at three in the morning, Tel Aviv time. Israel, like all signatory countries in our hypothetical agreement, would have a national cyber security liaison office constantly staffed. The Israeli center would call the international center, say, in Tallinn, and report that a cyber attack was originating
from a certain ISP in Egypt. The international center would then call the Egyptian national center in Cairo and request that they immediately investigate whether there is a botnet operating on that ISP in Alexandria. The international staff would time how long it took Egypt to comply and shut down the attack. Perhaps the international staff would be able to look at traffic-flow monitors on gateways coming out of Egypt and see the botnet spike. Egypt would be required to respond with a report on its investigation of the attack. If the incident warranted it, the international staff might ask to send a team of investigators to assist or observe the Egyptian authorities. The international staff could file a report, with conclusions and recommendations, to member states on the incident.

Nations that were found to be scofflaws could be subject to a range of sanctions. In addition to having traffic to and from offending ISPs denied by ISPs in other member states, the offending nation could have its hands slapped by the international organization. For more drastic action, nations could deny visas to officials from the offending nation, limit exports of new IT equipment to the nation, limit the overall amount of cyber traffic to and from the nation, or disconnect the nation altogether from international cyber space for a period of time.

These verification and compliance provisions in a cyber war agreement would not totally solve the attribution problem. They would not prevent a nation from spoofing the source of an attack or framing another state. They would, however, make it more difficult for some kinds of cyber war attacks, while establishing norms of international behavior, providing international legal cover for nations to assist, and creating an international community of cooperating experts in fighting cyber war. It is also important to remember that the capability to conduct attacks that amount to cyber war currently requires a state-level effort, and only a handful of states have advanced capabilities. The list of potential attackers
is small. Attribution is a major problem for cyber crime, but for warfare, technical forensics and real-world intelligence can narrow down the list of suspects fairly quickly.

What emerges from this discussion of cyber arms control are five broad conclusions. First, unlike other forms of arms control that destroy weapons, cyber arms control cannot eliminate capability. It can only prohibit acts. Thus, a nation could move from a state of compliance to a gross violation in seconds and without warning.

Second, broad definitions of cyber warfare, such as those that include espionage, are not verifiable and are not in our interest as a nation. Nonetheless, national intelligence services and national governments should initiate channels for discussions so that intelligence activities do not get out of hand, or become misconstrued as showing hostile intentions.

Third, international agreements that prohibit certain acts, such as cyber attacks on civilian infrastructure, are in our interest. Because such attacks could still take place, such agreements would not in any way diminish the need to take defensive steps to protect that infrastructure.

Fourth, high-confidence verification of compliance with a cyber war limitation agreement will not be possible. We may be able to verify a violation, but attribution of the attack will be difficult and could be subject to intentionally misleading activity. Nonetheless, there are measures that can contribute to an international norm against cyber attacks on civilians, namely, an expert international staff, national governmental responsibility for the prevention of violations originating within a nation’s borders, and an obligation to assist in stopping and investigating attacks.

Finally, limits on cyber war attacks against civilian infrastructure would probably mean that we and other states would have to cease any activity in which we may be engaged with logic bombs, and perhaps trapdoors, in other nations’ civilian infrastructure networks.
Lacing infrastructure with trapdoors and logic bombs, although little noticed or discussed by the media and the general population, is dangerously provocative. They are alluring because they offer some of the results of war, but without soldiers or death. But they also signal hostile intent far more than any weapon that stays in a nation’s inventory. They could be utilized easily and quickly, without proper authorization, or without a full appreciation for what kind of spiral of escalation they might cause. Although a war might start in cyberspace and be conducted without soldiers or bloodshed, it would be highly unlikely to stay that way for long. By lacing on another’s infrastructure networks with cyber weapons, nations have made starting a war far too easy.

I
nvisibly, military units from over a score of nations are moving into a new battlespace. Because the units are unseen, parliaments and publics have not noticed the movement of these forces. Because their first skirmishes have been isolated and involved only simple weapons, few have thought that cyber warriors could do more. Because most of the major military powers are also one another’s trading partners, commentators cannot envision the circumstances that could turn their relations to hostility. Because the United States has been at war in one nation for seven years and in another for nine, is struggling with its worst-ever recession, and is diverted by partisanship, the “bandwidth” of its policy elites is already consumed. Thus, with attention diverted elsewhere, we may be laying the groundwork for cyber war.

There may be parallels in the early years of the last century.
Barbara Tuchman in
The Proud Tower
describes a world similarly diverted from the realization that its various militaries were preparing devastating forces without contemplating the horrific consequences of their use. Then, as she describes in the sequel,
The Guns of August
, a spark caused those forces to be activated. Von Schlieffen’s elaborate military use of Germany’s massive new freight rail network literally set wheels in motion that could not be stopped. The military use of the new chemical industry added an element of destructiveness. The use of chemical weapons did far more damage than anyone had anticipated. Today our military is developing elaborate plans for a new kind of war, once again using a technology originally designed for commercial use. As in the period one hundred years ago, those plans have received little public scrutiny.

There have been few times in our history when the American academic community, the media, and the Congress have focused on a potential problem and together cast so much light on an issue that controls were put in place that averted calamity. The issue of strategic nuclear war, referenced much in this book, is the clearest example. A new technology had burst upon the world and the U.S. military had seen in it a way to achieve military dominance and, through that, peace. At airbases with the signs “Peace Is Our Profession,” the plans called for early and massive use of nuclear weapons in a war, against cities and civilian targets. Not until the research community focused a public klieg light on those plans and the larger issue of how to fight nuclear war, were rational controls and plans developed and adopted.

Today at U.S. Cyber Command, and at its related agencies, some of our nation’s most intelligent, patriotic, and undercompensated government employees, military and civilian, are putting plans and capabilities in place to achieve “dominance in cyberspace” to maintain this country’s security and preserve the peace. In other nations, cyber war units are also preparing. As part of that preparation, cy
ber warriors are placing trapdoors in civilian networks, placing logic bombs in electric power grids, and seeding infrastructure for destruction. They believe that their new form of warfare is an advance, not just because of its use of the latest technology, but because it does not involve explosives and direct lethality. Like the Predator pilots who sit in the United States, killing Taliban in Pakistan by remote control, they could subconsciously think that because they live in a peaceful suburban environment, the effects of their destruction on the other side of the world may somehow be clean and neat, unlike “real war.”

When in a period of rising tensions, in some future crisis now unforeseen, a cyber warrior of some nation is ordered to “send a message” to the potential adversary by using one of the logic bombs already in place, will it forestall or will it trigger a broader shooting war? Perhaps because the opponent is misled about who started the war, other nations will be drawn in. Possibly, the cyber warrior in one of the score of nations with capability will act without authority, initiating a conflict. Alternatively, it may be a hacker who uses a cyber weapon for destruction rather than crime, or discovers and sets off a logic bomb left behind by someone else. The cyber war that ensues could be incredibly rapid and global.

When an American President sends U.S. forces to bomb a rogue state’s nuclear weapons factory or terrorist camp, that nation may not be able to respond against our impressive conventional military forces. And yet, for a small investment in a cyber war capability, it may respond by destroying the international financial system, in which it has very little stake. The asymmetry of what it costs to counter our conventional military versus the minimal investment required for a cyber war capability will tempt other nations, and perhaps criminal cartels and terrorist groups as well.

Because the U.S. invented the Internet and has perhaps led in cyber espionage and the creation of cyber war tools, it may have
developed an implicit arrogance, causing us to assume that no one could humble America in a cyber war. Our cyber warriors and, to the extent that they think of cyber war, our national security leaders in general, may take comfort in the fact that we could perhaps see a cyber attack coming. They may think that we could block some of it, and they may believe we could respond in kind, and then some. The reality is that a major cyber attack from another nation is likely to originate in the U.S., so we will
not
be able to see it coming and block it with the systems we have now or those that are planned. Yes, we may be able to respond in kind, but our nation will still be devastated by a massive cyber attack on civilian infrastructure that smacks down power grids for weeks, halts trains, grounds aircraft, explodes pipelines, and sets fires to refineries.

The reality may also be that when the U.S. President wants to retaliate further, he will be the one who will have to escalate. He will be the one who will have to cross the cyber/kinetic boundary. And he may find, when he does, that even our conventional forces are cyber dependent. The U.S. military’s reliance upon cyber systems exceeds the extensive dependence of the commercial infrastructure. The contractors required for America to fight a war may be immobilized by cyber attack. The allegedly hermetically sealed computer networks upon which the Department of Defense relies may prove porous and unavailable. Highly advanced technology in the conventional weapons and systems that give U.S. forces dominance (for example, the F-35 fighter and the Global Positioning System) may suddenly not work. We are not the only nation that can install a logic bomb.

With a nation in the dark, shivering in the cold, unable to get food at the market or cash at the ATM, with parts of our military suddenly impotent, and with the regional flashpoint that started it all going badly, what will the Commander-in-Chief do? Perhaps he will appoint a commission to investigate what went wrong. That
commission will read the work of another commission, one appointed by Bill Clinton in 1996, and be astonished to learn that this disaster was foreseen back then. They will note the advice of a non-government commission written in 2008 advising the next President to take cyber war seriously. They may, if they are diligent, find a National Academy of Sciences study on Offensive Information Warfare from 2009 that warned that cyber war policy was “ill-formed, undeveloped, and highly uncertain.”

The post-disaster commission, a special committee of the Congress, or the next President would likely recommend a plan so that “this sort of thing can never happen again.” Since we know now what has been recommended already, what hasn’t worked, and why, perhaps we should not wait for a disaster to embark on a plan to deal with cyber war. If we strip away the luxuries and the things that would be nice to have, there are six simple steps that we need to take simultaneously and now to avert a cyber war disaster.

1. THINKING ABOUT THE UNSEEABLE

First, we must initiate a broad public dialogue about cyber war. A student looking to choose a graduate school asked me recently to recommend a university where she could take courses on cyber war. We scoured course catalogues and found none at any of the major security-policy schools, such as Harvard’s Kennedy School, Princeton’s Woodrow Wilson School, or Texas’s Lyndon Johnson School. She asked what books she should read and we found some interesting titles, but few that really delved into the policy and technology of cyber war. Many that seemed promising turned out to use the phrase “information war” to mean psychological warfare or public diplomacy.

Perhaps there are few books on cyber war because so much of
the subject matter is secret. Maybe there should be public discussion precisely because so much of the work has been stamped secret. In the 1950s and 1960s, people like Herman Kahn, Bill Kaufmann, and Albert Wohlstetter were told that nuclear war was something that could not really be discussed publicly. One of Kahn’s responses was a book called
Thinking About the Unthinkable
(1962), which contributed to a robust public dialogue about the moral, ethical, and strategic dimensions of nuclear war. Open research and writing done at MIT, Harvard, Prince ton, Chicago, and Stanford also contributed. Bill Kaufmann’s classes at MIT, Harvard, and the Brookings Institution taught two generations how to think about nuclear strategy and how to ask analytical questions, so that they could think on their own. Today at Harvard and MIT, the aptly named Project Minerva, an open research program on cyber war funded by the Defense Department, has begun. (I am reminded of Hegel’s dictum that “the owl of Minerva always flies at dusk,” meaning that wisdom comes too late.)

The mainstream media’s treatment of cyber war has improved. Reporters at the
Wall Street Journal
and the
New York Times
have written on it since 2008. Public television’s highly respected
Front-line
series did an hourlong examination in 2003,
Cyber War
. Television has focused much more on identity theft by cyber criminals because so many readers and viewers have already been victimized by cyber crime. Movies, however, have been filled with cyber war. In
Live Free or Die Hard
, a former government cyber security official who wasn’t listened to (whom the
New York Times
reviewer said was reminiscent of me. Nonsense!) cripples national systems. In
Eagle Eye
, hacking causes high-tension lines to melt and general havoc to erupt. In
The Italian Job
, the hacking is limited to traffic lights, but in
Ocean’s Eleven
there is a power blackout in Las Vegas. There are so many more that much of the moviegoing public has little trouble understanding what cyber war can do. High-level policy officials
apparently seldom make it to the movies. Or maybe they think it’s all just fantasy. To make them understand that such scenarios can really happen, we need an exercise program to drive home the point. General Ken Minihan has been promoting the idea of an Eligible Receiver–type war game for the private sector. “We could scare the pants off them, the way we did for the President in ’97.”

Congress, surprisingly, has held numerous hearings on cyber security and has tasked its Government Accountability Office to investigate. One GAO report asked whether the warnings that hackers could attack a power grid were true. GAO investigated one of the few power grids owned and operated by the federal government, the Tennessee Valley Authority’s system. GAO reported back in 2008 that there were significant cyber security vulnerabilities on the TVA grid that left it open to attack. On cyber war, however, as distinct from cyber security in general, Congress has done little in the way of oversight, hearings, or legislation.

Congress is a federation of fiefdoms, subject to the vicissitudes of constant fund raising and the lobbying of those who have donated the funds. That situation has two adverse consequences with regard to congressional involvement in cyber war oversight. First, everyone wants his or her own fiefdom. Congress has resisted any suggestion, such as was made by Senator Bob Bennett (Republican of Utah), that there be one committee authorized to examine cyber security. As a result there are approximately twenty-eight committees and subcommittees involved in the issue and none with jurisdiction to think holistically. Second, Congress “eschews regulation” and spits it out. The influential donors from the information technology, electric power, pipeline, and telecommunications industries have made the idea of serious cyber security regulations as remote as public financing of congressional campaigns or meaningful limits on campaign contributions.

The dialogue we need will require meaningful academic research
and teaching, a shelf of new books, in-depth journalism, and serious congressional oversight.

2. THE DEFENSIVE TRIAD

The next item on the agenda to prevent cyber war is the creation of the Defensive Triad. As proposed earlier in this book, the Triad stops malware on the Internet at the backbone ISPs, hardens the controls of the electric grid, and increases the security of the Defense Department’s networks and the integrity of its weapons. Much of the work in DoD has already begun as a result of President Bush’s decision in his last year in office. The Defensive Triad is not an attempt, as my National Strategy for Cybersecurity was, to defend everything. The Triad is, however, designed to defend enough so as to cause another nation to think twice before launching a cyber war against us. A potential attacker needs to believe that much of his attack will fail and that its greatest effect will be retaliation of various sorts. Without the Defensive Triad, the U.S. should itself be deterred from acting in any way (not just in cyber war) that could provoke someone into a cyber war attack on America. Today we are so vulnerable to a devastating cyber war attack that U.S. leaders should walk cautiously.

We cannot build two of the three prongs of the Defensive Triad (the defense of the Tier 1 ISPs and of the electric power) without additional regulation. The argument I have made in the past about homeland security in general is that without using regulation the federal government is trying to achieve security with one of its arms tied behind its back. There was an era when federal regulations were overly intrusive and ineffective, but that is not inherent in the idea of the government asking industries to avoid doing some things and defining desired end states. At the Black Hat conference
in 2009 (discussed earlier), the cyber security expert and author Bruce Schneier made the same point, arguing that “smart regulation” that specifies the goal and does not dictate the path is needed to improve cyber security.