2 November 2015

How Scared Should We be of Cyberwar?

27 Oct 2015

In an age of ubiquitous networking, popular culture and the media have become increasingly fascinated with the idea of cyberwar. As the west pours billions into the latest fancy war gadgetry – from the armed drones that increasingly fight our wars in Afghanistan, Iraq and Syria, to the next generation F-35 fighters that are meant to dominate enemy airspace through multimillion pound suites of on board computer wizardry – the spectre of militarised hacker groups with fingers on the off switch looms ever larger in the public consciousness. Having the biggest, best-networked stick is at the core of western military doctrine – but that doesn’t matter if your arm fizzles and stops working when you go to swing it.

State funding for cybersecurity is increasing around the world. Today, dozens of countries have at least some capacity to fiddle with other countries’ computer systems, at best for surveillance, at worst for purposes of theft, sabotage or warfighting. More alarmist accounts warn that nothing is safe, from electricity grids to banking infrastructure to the very smart weapons that are supposed to win modern wars. But with so little public information on what the US government grimly defines as the “fifth domain” of warfare, how much danger are we really in? What can a 21st-century army of cubicle warriors do? And what, if anything, is there to be happy about?
What is Cyberwar, Anyway?

One of the big problems in managing cyber conflict is getting everyone to agree on exactly what ‘cyber warfare’ actually is. Certainly, in the Hollywood ‘Cyber Doom’ scenario, in which the banks fail, the lights go out and the sewage plant explodes, there would be a consensus. But where’s the cut-off point? At what point does an annoying act of online vandalism or harassment turn into something more sinister?


When Israel bombed a suspected Syrian nuclear reactor after disabling its air defences on September 6th, 2007, it gave the world perhaps its clearest example of what cyber-attacks might do in conjunction with conventional military operations. When flights of Israeli F-15s and F-16s crossed into Syrian airspace, the Russian-made air defence radars saw nothing at all. No one on the defending side knew what was happening until after the plant in question had exploded.

On the other hand, what to make of the US, when it cracked the Iraqi military’s internal communication network ahead of the 2003 invasion and used it to send a mass emailencouraging commanders to abandon their posts and vehicles? No one was hurt in this cyber ‘attack’, and while no equipment was destroyed, some certainly was disabled, clearing the path for the invading ground forces.

Some even quite pedestrian technologies (at least to western users) might be thought to constitute a form of cyber warfare in the eyes of less permissive regimes. If revolutionaries use American social media sites and anonymising technologies like Tor to organise an uprising (as was the case during the Arab Spring), is America complicit in a kind of ‘cyber propaganda’?

Russia and China, for instance, keep very close tabs on what their citizens are accessing online (Russia through the blanket monitoring system called SORM, the Chinese through a system of countrywide censorship that western media has pithily dubbed the ‘Great Firewall of China’). Twitter might, at worst, seem like a nuisance to a western government, but for others, as has been seen in China’s dispute with Tibet, it’s a potential tool for fomenting political dissent – a key weapon in a war of ideas.

Finally, perhaps most famously, we have the example of Stuxnet: a highly sophisticated worm deployed in 2009 and discovered in 2010. Stuxnet was expertly designed to hunt around networks looking for a very specific target: Windows computers running software controlling arrays of centrifuges, of the type used to enrich uranium for the production of a nuclear bomb. It found its target in Iran’s nuclear enrichment facility at Natanz, where it directed the centrifuge motors to spin out of control, causing about 1,000 of them to break. The damaged centrifuges then had to be removed, temporarily hobbling production at Natanz.

Depending on which end of the attack you find yourself, any and all of the above could be construed as the first strike in a cyber war, making the question of proportional response a murky one. But even if a government declares itself under attack, responding isn’t as easy as deciding how much punishment to dole out in return.

So, You’ve Been Attacked by Cyberwarriors

Stuxnet is a useful example of what’s known as the ‘attribution problem’. The principle quandary is this: while you might be sure that someone definitely is using computers to snoop around your enrichment facility (or your civilian infrastructure, your government networks, your military intranet, etc.), knowing who is doing the snooping (or worse) is a whole other problem. For all the accusing fingers pointed at the US and Israel in the wake of Stuxnet, no one was definitively able to prove either country’s involvement (members of the Obama administration later admitted responsibility to the New York Times). NATO hit the same stumbling block in 2007, when Estonia suffered widespread distributed denial-of-service (DDoS) attacks after offending the Russian government with its decision to move a statue commemorating Soviet war dead.

Unfortunately (or perhaps fortunately), pinning the blame conclusively on Russia was tricky. Not only can cyber-attacks be launched from computers outside the attacker’s country (using individual compromised computers or networks thereof), but even when the source of an attack can be traced back, both Russia and China have a history of throwing up their collective hands and blaming the attacks on cybercriminals who just happen to be working from inside their borders. That’s not an explanation that’s given much credence in the west (in 2013, the New York Timestracked a spate of intrusions back to this Chinese military building in Shanghai, and published a picture of it on the front page of the paper) – but it adds another layer of deniability, and obfuscation, when the victim of a cyberattack is deciding where to point a response.

Defending against sustained, high-end cyberattacks, then, might come down to a combination of inference and deterrence. If, as was the case in Estonia, your systems start failing in the middle of diplomatic spat with Russia, then you have a credible suspect – even if you don’t catch them red-handed. Two countries with serious capabilities in cyberspace might credibly deter each other from dishing out harsher and harsher punishments – both in cyberspace and, if there is one, the physical battlefield.

That’s what the world’s more developed cyber powers seem to be preparing for. While the US is publicly outraged at China’s alleged theft of its intellectual property – and came to a recent agreement with China that its widespread data theft must stop, an agreement on which China appears to be reneging – it’s a lot quieter about something arguably more sinister: evidence that China and Russia have been independently poking around critical infrastructure, like its power grids, and leaving behind malicious code that could allow the PLA’s cyberwarriors fatally damaging access in the event of a gloves-off conflict. That the theft of US IP (as was infamously the case with the F-35 designs that were stolen from defence contractor Lockheed Martin) produces greater public condemnation than attacks on infrastructure might be construed to imply that the west’s own actions aren’t squeaky clean in that regard, either.

What Would a Cyber-Attack Hit?

Potentially, anything that’s computer-controlled in which attackers can find a vulnerability. As the Stuxnet worm proved, a system doesn’t even have to be connected to the outside internet to be vulnerable; Stuxnet is thought to have beensmuggled into the Natanz reactor on a USB stick.

But obviously, the more of your critical infrastructure that’s run by computers, the more potential targets an attacker has to work with. An irony of cyberwarfare is that nations best equipped to fight in cyberspace may also be the most vulnerable. The US may have the greatest offensive cyber capabilities in the world, but because of its reliance on computer networks for both its civilian and military infrastructures, cyber-attacks might make for a very appealing form of asymmetric warfare. You might not be able to militarily hurt a nation like the US, but the very fact that it is so advanced could potentially make it vulnerable – and the UK has the same problem.

“I think you would have to put the UK in the same bracket as the US – a modern, high-tech, interconnected and interdependent country,” says Dr. Tim Stevens, teaching fellow in the department of Politics and International Relations at Royal Holloway and an expert in cyberwarfare. “In terms of infrastructure that very much run alongside and intertwine with one another, I don’t think there’d be much point in distinguishing the US from the UK, or indeed from Japan, or Australia, or Israel, or any of the high-tech, developed nations of Europe.

“The soft, white, technological underbelly of advanced societies presents a rather juicy set of targets for anyone who’s wishing to do ill through cyber means. But a country that’s rather less well connected, like North Korea, can actually go on the offensivewith rather less risk of being hit back. At least, they have a much reduced target set, so in that respect, they might find it easier to defend themselves as well.”

But while civilian networks and infrastructure might be (at least, one would hope) softer targets than their military equivalents, shouldn’t these sorts of thing be off limits in warfare? We wouldn’t intentionally black out a city by blowing up a civilian power plant with a cruise missile – why should a cyber-attack be any different?

“The issue is basically that we don’t know if [civilian targets] are legitimate or illegitimate, but international humanitarian law would suggest that cyber does apply to it, and if it does apply to cyber, then you can’t suddenly go switching off all the controls on the local sewage treatment plant, or turning off electricity infrastructure in a major city, because those are civilian targets rather than military ones,” says Stevens. “So it seems to me that, broadly speaking, the laws of armed conflict and international humanitarian law [should] apply to cyber as much as they do to anything else.”

How Good is the World at Cyberwarfare?

Another unique feature of cyberwarfare is that, unlike a fancy new missile or jet fighter, it’s almost impossible to demonstrate your capabilities without simultaneously undermining them. Air shows and military exercises have deterrent value, but once an adversary knows what kind of exploit you’re using to target their systems, that exploit can be patched, and the advantage it conferred evaporates. As such, it’s difficult to say with much certainty what any country – the UK included – would be capable of should worst come to the very worst.

“We don’t know [what the UK’s capabilities are],” says Stevens. “We know a little bit more about the type of skillsets that the UK has, through the Snowden disclosures, purely in the sense that GCHQ is very capable of projecting its expertise and skills globally, sometimes with the Americans, sometimes without. I think we should assume that GCHQ in particular, and perhaps elements of the armed forces, have some extremely advanced capabilities indeed. I think in that respect we’re probably more or less comparable to France, Israel, Korea, perhaps even in some respects to the Americans.

“But this is not the kind of thing you read about in defence magazines. This is not the sort of thing that people talk about in open conference. So it’s very much a hidden capability. We’re left guessing what our particular country could achieve if it wanted to. But I wouldn’t be surprised if GCHQ had capabilities that were world class.”

Outside of the west and its traditional allies, the two key players in the field of cyberwar are Russia and China. As with the US and Stuxnet, both nations have shown advanced capabilities with cyber-attacks – although so far, both have also been following different strategies.

“As far as we’re aware, there is a difference in degree [between Russian and Chinese operations],” says Stevens. “China seems quite happy to allow elements of the PLA [People’s Liberation Army], its industries and its universities to be very active in foreign networks scouting for, in particular, defence related commercial data. The Russians have, as far as we know, used all manner of state-allied groups and individuals to perform certain things in pursuit of national strategic ends, with a rather more security-related inflection to it.

“China has turned round and said, 'post-Snowden, we know that you’re in everybody’s networks [too]’. To which the US says, ‘OK, but the difference is not that we’re in your networks and you’re not in ours or vice versa; the difference is that you steal intellectual property and then sell it on to your own state-owned defence industry, and then you make products out of that.’ The Americans are absolutely adamant that they don’t do that. I don’t know if the Russians are involved in that sort of thing, but they don’t have the reputation for it.”

Is There an Up-Side to All This?

Yes. For all the apocalyptic, Die-Hard-ian visions of death by cyber-attack, there are a few peculiar aspects to cyberwarfare that could actually end up making us safer.

The first is that, while publicly all governments decry acts of computer espionage, everyone being able to see what everyone else is up to has, historically, been no bad thing.

“Espionage is as old as man, and there’s no international legislation to prevent it,” says Stevens. “It’s a norm of international behaviour… Most countries rely on a certain amount of transparency to reduce suspicion in the international system. So, in some senses, [espionage] is a social good.”

The second useful aspect of cyberwar, from the perspective of everyone who doesn’t want to die in a missile exchange, is that it may end up adding an extra buffer between diplomatic reprimands and a proper shooting war.

“The interesting thing about cyber is that it does add that additional layer below the nuclear threshold,” Stevens continues. “It may be a way of achieving strategic ends through relatively bloodless conflict – that’s certainly the argument that a lot of people have made… It’s much easier to disable an electrical grid and then turn it back on later than it is to rebuild it from scratch if it’s been bombed into a hole in the ground. Switching things off and on [also] has a potentially rather less destructive effect on people around it, in terms of collateral damage and so on. So it may be an additional layer that prevents us from ever getting up to that horrendous nuclear threshold that’s still hovering over us even as most of us forget about it.”

Finally, we come back to the idea of modern warfare’s dependence on networks. So much of what today’s militaries do now is dependent on computers: guidance systems in smart bombs and cruise missiles rely on GPS, drones and communications networks work through satellites. With few people sure (at least publicly) how effective potential cyber-attacks might be, we’re left with the intriguing question of whether a traditional, face-to-face shooting war would even be possible anymore. If both sides in a conflict have good reason to believe that their systems might not work – or worse, be delivering them false information – how likely are they to throw their priciest hardware (not to mention the lives of their troops) into harm’s way?

“Twenty-five years ago when we first started talking about the [ideas of network-centric warfare], it looked like the future, right?” asks Stevens. “Massive information networks that would direct precision strikes and remote armed vehicles and so on. It was only a little bit later that we suddenly realised all these networks were quite vulnerable. So we had entire floating platforms (warships), that needed to be retrofitted to be less vulnerable to particular types of electronic and cyber-attack, and the fleets simply hadn’t been defended against those attacks. You could, hypothetically at least, do an awful lot of damage just in the first few hours of conflict, just by hacking into or turning off or subverting all these systems. And [then], would it be possible to engage?

“It seems unlikely that nothing would happen, but it seems very likely that some things wouldn’t happen.”

How Scared Should We Be?

While for decades developed nations could get a pretty good idea of what their adversaries were capable of through the lenses of spy satellites, cyberwarfare exists in the dark. Its most potent tools can’t even be demonstrated, for fear of rendering them instantly inert. We may have ideas of what different countries are capable of, but by its clandestine nature, there’s no totally reliable picture of what a war fought with computers would look like.

Perversely, that uncertainty might be what keeps us safe.

“Escalation tends to come about when there’s poor communication between adversaries,” says Stevens. “What I would hope is that if, for example, the US and China just cannot resolve this issue of the South China Sea… If it gets to the point where, quite quietly, they’re switching things off and on in each other’s infrastructures, they might get together and say, ‘well, we’re not entirely sure what you’re capable of, but clearly you’re capable of something, and you just turned off South Central LA, or we’ve just turned the lights off and on again in Beijing. Maybe this is really the time to start talking.’”

Tim Stevens is a teaching fellow in the department of Politics and International Relations at Royal Holloway. His research interests include the politics of cybersecurity and information technology and global politics. He is the author of the upcoming book, Cyber Security and the Politics of Time.

No comments: