Warfare entered the 21st century earlier this year when Estonia came under assault by activists who attacked the country’s computer systems. The prospect of war in the digital domain is a sobering one for security establishments that are still unprepared for it. The proliferation of networked systems, and the critical role that information technologies play in modern societies, demand that all governments be ready to defend themselves on the new battlefields of cyberspace.
Estonia came under attack when the Tallinn government decided in April to move Soviet-era war memorials — a statue of a Soviet soldier and the remains of soldiers — from the center of town. Infuriated Russians responded with “denial of service” attacks — the bombardment of computers with information that overloads them and shuts them down — on key Estonian Web sites. It is still unclear whether the Russian government had a hand in the assaults; Moscow denied involvement and the attacks apparently came from a variety of countries.
The assault on Estonia is not unprecedented. In recent years, Internet activists have gone after a variety of Web sites, public and private, when they feel aggrieved or offended. Japan felt the sting of Internet anger after Prime Minister Junichiro Koizumi visited Yasukuni Shrine.
At various times, U.S. agencies — the Department of Defense in particular — have come under attack by foreign sources. Corporate Web sites are regularly assaulted when management policies offend the sensibilities of activists.
The focus on cyberwarfare reflects two separate strands of thinking. The first is the recognition that many societies are dependent on information technologies to function and survive. Indeed, such technologies now constitute the very backbone of advanced industrial economies. Yet the integration of those technologies has not been matched by security measures to protect that infrastructure. The result is new vulnerabilities that, if exploited, could paralyze a country.
Imagine an end to electronic transactions — including access to cash — or the failure of computer systems that regulate trains, air traffic systems, traffic lights, energy, telephones — the list is endless. Efforts to fight terrorism will be fatally undermined if regional or city databases are not protected and personnel records are left susceptible to alteration.
A second focus is the use of information technologies within the military establishment itself. The two Persian Gulf Wars underscore increasing U.S. reliance on information technologies. Governments are now targeting these technologies in the pursuit of “asymmetric warfare,” whereby adversaries exploit the weakest link of an opponent’s defense.
In its most recent annual report on the Chinese military, the U.S. Department of Defense warned that China is devoting ample resources to “computer network attack, computer network defense and computer network exploitation.” These skills will be especially valuable in a conflict over Taiwan, in which the U.S. is expected to muster superior forces. Cyberwar would go a long way toward leveling the battlefield.
Plugging those holes is critical. Defense planners are increasingly alert to the need to do just that. After the attacks on Estonia, NATO agreed to establish a committee to begin preparing for cyberwar and developing appropriate responses. (One interesting issue is, at what point do cyber-attacks constitute a genuine act of war and necessitate a response by allies?) The U.S. has formed a “cyberspace command” to protect military data and communications and control networks, and to go on the offensive in the event of a conflict.
Periodic revelations about Japan’s inability to protect data — such as the leak of information about the Aegis weapons fire-control system earlier this year — demonstrate that this country must focus on security at an even more rudimentary level.
Vulnerabilities in social and economic infrastructure are even more glaring. There is little indication that security gets the attention it deserves, given the potential impact of a breakdown. Reports about security and safety violations at Japan’s nuclear plants, for example, do not inspire much confidence in industry. More troubling is that a system does not actually have to fail to become vulnerable — operators only have to think that it is compromised for damage to be done.
Japan, along with its ally the U.S. and other like-minded countries, must begin cyber planning and preparation, focusing on new defenses. This should become a priority at the highest levels of government. This new dimension to security raises questions for Japan given the constitutional restrictions on collective self-defense, yet it also creates opportunities for cooperation and international contributions as well.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.