/

On the offensive in the cyberspace arms race

by James Andrew Lewis

The Washington Post

Anyone with a computer and an Internet connection can launch a cyber “attack,” even though the skills and tools needed to do real damage are still in short supply.

The Internet was not built to be secure and will not become secure anytime soon. Networks are vulnerable. This explains why cyber-espionage and fraud are so easy. Economies depend on the Internet, and a growing number of services and devices are connected to it, making it an irresistible target.

Crash the computers that run these systems and things stop. Power grids, financial networks, communications, public utilities and transportation systems are all targets for cyber-attacks.

But truly destructive attacks are hard to pull off.

Cyber-attacks can disrupt data and services to sow confusion, cripple networks and computers (including those embedded in weapons systems) and in some instances, destroy machinery.

The risks are real, but easily exaggerated, as when a group of defense advisers intoned in a recent report that cyber-attacks have “potential consequences similar in some ways to the nuclear threat of the Cold War.”

Just as early air power enthusiasts ascribed miraculous qualities to air attacks, expecting them to produce intolerable destruction and rapid victory, the discussion of cyber-attacks too easily veers into the realm of science fiction, what one senior navy officer calls “fairy dust.” Sprinkle a little cyber-fairy dust on your military problem and it will disappear.

There is no fairy dust when it comes to offensive cybercapabilities. In the movies, a hacker types wildly on a laptop for a few seconds and turns off a city’s lights.

In fact, a serious attack can take months to plan, probing the target network and developing code tailored to damage, disrupt or destroy. Attacks have several stages: conducting reconnaissance to identify the target’s vulnerabilities, breaking in, delivering the software “payload” and then “triggering” it — all without being detected. The most damaging cyber-attacks — such as Stuxnet, which destroyed centrifuges used by the Iranian nuclear program — are still a high art. Only the United States, Britain, China, Russia and Israel possess the necessary skills, but many others want them.

Offensive cybercapabilities provide real military advantage. This is why most leading military powers are developing them. Publicly available information shows 46 countries with military cyberprograms, and 12 countries acknowledging offensive cybercapabilities in 2012 (up from four in 2011). Other countries have military programs but do not admit to them.

Unlike the United States, most countries say very little about their military doctrine. Most of them blend war-fighting and covert action in their cyberwar planning. Each nation’s plans for offensive cyber-operations reflect their different military strategies. The Russians combine political action with cyberstrikes on command networks and critical infrastructure to cripple opponents at the start of a conflict. The Chinese focus on quickly disabling U.S. military systems and have systematically hacked into just about every weapon related to U.S. plans for an “air-sea battle” in Asia. Iran will attack energy infrastructure and considers cyber a way to score against a distant and once-invulnerable foe. North Korea’s attacks are driven by its internal politics and dislike of the South.

There have been only a handful of true cyber-attacks. Russia and China are hyperactive in cyber-espionage but are cautious about offensive use and avoid actions that could trigger a violent response. Iran and North Korea are more aggressive and are improving their cybercapabilities. Iran attacked Saudi Aramco, destroying data on 30,000 hard drives. North Korea did something similar to South Korean banks. The worry is that either country will miscalculate in its use of cyber-attacks and stumble into a larger conflict.

Jihadis, anarchists and other nonstate actors do not have real cyber-attack capabilities. This is not much of a comfort, because acquiring attack capabilities is becoming easier. The trend in information technology is commoditization — products get smaller, cheaper and more powerful. Cyber-attack is being commoditized and cybercrime provides innovative tools (such as the one Iran used against Aramco). Jihadis prefer the drama and violence of bombs to cyberattack, but that may change. The Syrian electronic army has only basic skills but could use its ties to Russian and Iranian hackers to improve. The global trend is increased capabilities and more attackers.

For the United States, offensive cybercapabilities provide a new way to attack. The recently leaked Presidential Policy Directive 20 set the rules for “offensive cyber-operations.” Only the president can approve a cyber-operation likely to result in “significant consequences” that could result in the loss of life or a damaging reaction, although the defense secretary or the head of the U.S. Cyber Command can take independent action in an emergency. The United States could relax the requirement for presidential approval — similar to the presidential authorization needed to use nuclear weapons — as technology improves, but offensive cybercapabilities are still too new, with too many unknowns, to let anyone but the president make a decision with potentially profound consequences.

Using offensive cyber-operations requires deciding on military goals and priorities. Once you get access to a target network, the first decision is whether to attack or to sit quietly and collect intelligence — because once you attack, you lose the access for spying. The second decision is whether the target is valuable enough to justify using the cyber “weapon” — because once you attack, the opponent can develop countermeasures or fix vulnerabilities, making your weapon “single-use” (no one will fall for Stuxnet again).

There also are potentially tough political decisions. Attacking a “tactical” target could unintentionally result in damage to “strategic” targets hundreds of kilometers away and expand and escalate the conflict. An attacker may not know what is connected to a target network — one early cyber-attack disabled its target along with a broadcast network in a nearby allied country. Attacking a bridge and knocking out a hospital are things to avoid because they run contrary to our rules for warfare and could create enormous political damage.

Someone needs to decide when the benefit of an attack outweighs the loss of intelligence or the political risk, or when a target justifies expending a weapon that might never work again. The inability to predict collateral damage and uncertainty over political effect has made the United States cautious. The Presidential Policy Directive 20 restricts independent action by tactical and operational commanders for this reason. A local commander may not know all the trade-offs or the risks that cyber-attack could entail. Until we get better predictive tools, judgments about risk and consequences require decisions that only the top defense officials in Washington can make.

Offensive cyber-operations are an inevitable part of conflict. They are no more likely to go away than are guns or missiles. A new technology appears and is adopted for military use. Soon all advanced militaries have it. If the technology is cheap enough, smaller countries and amateurs will acquire it as well. This has been the pattern for weapons since the start of the Industrial Revolution and it still holds for cyber-attacks.

Perhaps nations will agree on limits to govern offensive cybercapabilities — although until this year, there wasn’t even international agreement that the laws of armed conflict could apply to cyber-attacks — but no one will give them up.

Offensive cyber-operations give America a military advantage, but opponents also can carry them out. The U.S. leads the world in cyber-offense, but its defenses are weak and it is beginning to lag behind other nations.