At first sight, and against certain
counterparties, cyber warfare has appeared and proved to be a phenomenally
low-cost and low-risk tool of adversarial foreign policy. But while questions
increasingly arise about exposure to reciprocal risk to the most heavily
digitized knowledge- and data-based economy and society, it has become clear
that the genie will never again return into its bottle. Strategic, legal, and
political questions will not be dodged much longer. The very advantages of
cyber warfare may easily and all too quickly be turned against a first mover,
especially one as vulnerable as a highly digitized industrial state. Its use
for asymmetric warfare increases attractiveness to non-state actors. And one of
its arguably greatest potential, the disruption of enemy economic functionality
by disruption of payment systems has regularly been vetoed in the interest of
the integrity of the global system. It may appear that the philosophy
underlying the Nuclear Non-Proliferation Treaty as well as treaties banning use
of chemical and biological weapons may provide even stronger rationales in an
understanding to ensure mutual non-aggression by digital electronic means
between major and even mid-size powers.
Given the seriously increasing reluctance of U.S. voters and
public opinion to countenance significant military engagements overseas, and given
further the economic necessity to abandon former U.S. military doctrine of
maintaining the capability of conducting two wars simultaneously at all times, demand for
and attention to low-level engagement strategies such as drone warfare, special ops and cyber warfare has risen
sharply, and with good reason. The events surrounding Stuxnet
and the resulting partial temporary paralysis and setback of the Iranian
nuclear program as well as targeted assassination
of nuclear scientists have shown that, although low-level
engagement cannot produce equivalency to boots on the ground (nor does it
come at comparable cost), it is an increasingly important tool in any nation’s
strategic and tactical arsenal. But it is also a double-edged sword: cyber
warfare in particular takes advantage of an area of significant U.S.
superiority (but also particular
vulnerability) – and has been utilized already very successfully at low
cost by
the Obama administration and also by
its predecessor. Yet it also raises important questions of homeland security
and exposure of vital domestic
infrastructure. Our nuclear experience has shown that technological
leadership in strategic areas can be measured in years at best. This is all the
more true for relatively low-cost weapons such as offensive digital technology
and know-how. However, low publicity and evidentiary problems under
international law make this an issue even middle and minor powers can ill afford
to ignore and indeed have every motivation to use it in their need for
asymmetric strategies. The following sketch showcases critical analysis and
policy both in the offensive and defensive dimension.
First off, cyber warfare as a phenomenon of low-level
engagement needs to be distinguished conceptually from the use of digital
electronic technology on the conventional military battlefield. For example, much
information is in the public domain about U.S. tactical use of
digital technology during the Afghan war and prior to the 2003 operation
against Saddam Hussein that took out critical parts of the Iraqi
command-and-control system. But rather than those ancillary uses, low-level
engagement strategies seek to obviate conventional military engagement with its
attendant material and intangible cost and risks altogether.
It is estimated that at least two dozen states are
developing capabilities for cyber warfare, including Russia, China
(both considered leaders
in sovereign-sponsored targeted attacks), the U.S., the U.K.,
France,
Germany,
Israel,
Iran,
North
Korea, South Korea, Estonia,
Denmark,
Switzerland,
Australia,
India,
Pakistan, Georgia,
Azerbaijan,
as well as NATO, to
name just the most visible. U.S. cooperation within NATO and with Israel has
proved to be most significant (including the joint U.S.-Israeli intelligence
project dubbed “Operation
Olympic Games” commenced under the administration of George W. Bush). In
addition, corporations, individuals and terrorist groups have some or most of
the resources to conduct operations similar in nature if not in size and
quality. Specialized agencies have been created and tasked specifically with
the agenda of cyber warfare, including USCYBERCOM (headed by the
director of NSA), the British GCHQ (Government
Communications Headquarters), the EU’s ENISA
(European Network and Information Security Agency), departments of Russia’s
Federal Security Service FSB, the
Cyber Security Squad of the Chinese
People’s Liberation Army, the Israeli IDF Operations Department,
as well as other agencies in the same and other countries.
Whenever a ‘game changer’ of such
caliber appears on the national policy horizon it behooves us to engage
critical judgment and skepticism. Cyber warfare is no exception. The same
mentality that considered nuclear confrontations “winnable” in the 1950s is now
shining forth in much of the public talk about “conducting a
combined arms campaign across all domains – land, air, maritime, space, and
cyberspace.” Branches of the U.S. military establishment compete over who
should get what share of this fight – and, more importantly, what share of the
budget. Consequently, scaremongers abound, not least among security firms, but
also among universities whose financing by taxpayers decreases, and IT
companies that created unsafe hard- and software in the first place (including
intended vulnerabilities that facilitate government access in the first place
but also can be exploited by third parties). All these experts’ testimony is
rife with examples of past events that did not quite happen as described (or
happen at all), or, from a vantage point of looking at the actual science
behind the hype, could not produce in realistic likelihood the fearsome
consequences often attributed to them. But some reality remains to such
concerns: India and Australia have legally prohibited
inclusion of Chinese Huawei hardware in products manufactured or sold on
their territory, while the U.S. tries to curtail exposure to vulnerabilities inherent
in the global information technology supply chain.
The issues become particularly
murky if the possibility (and, presumably, indeed reality) of occasional cyber
activity against allies rather than opponents is taken into consideration. Even
friendly governments are not always governed by politicians entirely in
agreement with their allies’ leadership, and adding a little inconvenience or
blackmail or digital sabotage may often present temptation a government could
find all too difficult to resist. Some evidence was believed to exist that the
U.S. conducted a cyber operation against
the executive office of the French president in the later days of Nicholas
Sarkozy’s term.
Even less clear is the legal
basis for cyber warfare. The foremost unresolved question there is attribution.
From a forensic viewpoint, it is exceedingly difficult to trace a competently
executed digital attack back to its perpetrator(s) with any even remotely
acceptable degree of certainty that would suffice as evidence for invoking the
new U.S. military doctrine that reserves the right to treat
an attack in cyberspace as an act of war and respond to it by military
means. First off, the vast majority of cyber attacks fail the definition of
an act of war: it would have to be potentially violent, purposeful, and
political. And, most of all, it needs to be attributable. Acts of economic or
informational sabotage, distributed denial of service attacks or disruption of
even vital infrastructure seldom if ever rise to
this level. So perhaps the law of war needs a definitional upgrade? Can we
continue to afford maintaining that there is a material difference between a
blockade of harbors or airports of a sovereign state – a conventional act of
war – and the blockade of government institutions, newspaper websites and bank
payment systems? It is also common in the Kafkaesque world of cyber operations
that attackers would act on a strong incentive of providing a false flag to
implicate a third party as the perpetrator. In any event, lack of reliable
attribution beyond a reasonable doubt raises difficult constitutional issues in
many countries and particularly under international law, aside from the fact that
events and techniques are developing faster than controlling legal authority
can be developed virtually anywhere. Art. 26 Sec. 1 of the German constitution,
for example, prohibits
purely offensive capabilities, and no jurisprudence exists from its
Constitutional Court. But then distinctions between offense and defense have
long been blurred in cyberspace, as they have with the (logically
indispensable) right to preventative self-defense in the context of numerous
advanced technologies. What level of intrusive intervention triggers a state’s
right to self-defense?
While taking credit for
disruptive actions is usually a major prize to terrorist and other adversarial
organizations, it is almost unheard of in the case of cyber hostilities.
Stealth over the long term is absolutely key to most cyber operations on both the
offensive and defensive side of the game, especially those aiming at activities
over a lengthy period, which is substantially more difficult than causing a
systemic shutdown that will result in a quick and likely adequate corrective
response. Damage from even a catastrophic system shutdown caused by malware
typically falls short of the considerably more complex objectives of intruders
in strategically worth-while targets. But even a non-destructive worm such as Duqu
(nearly identical to Stuxnet but with a completely different purpose) could be
equipped with a payload targeted at cyber-physical attacks based on its modular
structure. Such malware is typically capable of evading current security
software through rootkit functionality or other means, and is sometimes written
in proprietary, unknown high level programming language. This is among the
factors that suggest sovereign resources backing its author.
Attacks of any kind invite and
legitimize retaliatory counterattacks. Countries that are to a greater extent ‘off
the grid’ are less vulnerable than those with a greater dependence on
cyber-controlled systems. America’s financial, energy and transportation
infrastructure is likely the most vulnerable target globally today: air traffic
control, train safety and logistics, urban traffic systems, pipelines, port
operations, refinery sites, power stations, the electrical grid, financial
exchanges and payment systems, bank
and securities clearing, hospital logistics, news media and social networks
are all extremely exposed to digital risks vulnerable to attacks backed by
sovereign resources. There is also the need to balance cost of increased
security and its frequently disproportionate opportunity cost that can grow up
to a point where basic operational necessities in a competitive environment
would no longer be possible if “adequate” security were to be mandated. That is
why presidents Clinton and Bush both declined
to use cyber warfare against banks maintaining accounts that supported both
state and non-state adversaries. Of course it would be naïve to assume that
avoiding an offensive precedent will long or even likely spare one necessities
to improve on a weak defense. Also, responses need not be symmetrical: while a
retaliatory response by Iran for the Stuxnet attack is technically and
tactically possible, it is strategically unlikely, as it would increase the
likelihood of a conventional response that the regime would be unlikely to
survive.
Cyber warfare is substantially
more humane than conventional military operations. This aspect in and of itself
justifies for any conventional force the development and maintenance of extensive
expertly trained hacking units to extend its digital reach and capabilities.
Depending on the level of the target’s dependence on digital communications, cyber
warfare can lead to decisive checkmate situations on the economic and political
battlefields, theoretically up to the total exclusion of any lethal action.
Examples of vital infrastructure
include financial and commodity exchanges. They are networked and
interconnected to an extreme. Some have argued that this state of affairs is
irreversible. But all that is a matter of choice, really. Only in a very
superficial analysis is society enslaved by technology. Our true serfdom
consists of being beholden to finance to the extent we are – which is hardly
news. Deconstructing digital interconnection would involve great expense but
could nonetheless be worthwhile in the case of stock and commodities exchanges
that have already been invaded by a plethora of illegitimate uses, even without
counting hostile sovereign digital operations.
Offensive digital operations can
– and often do – pursue strategies below the threshold of conflict.
Manipulation of economic information and price levels, manipulation of the flow
of political information (or restrictions thereof), or economic intelligence
all fall short of sabotage in the proper sense that many will consider to
qualify as an openly hostile act.
It should be noted that the
Stuxnet operation took place in the general environment leading up to an
American election. The ensuing “Obama leaks,” less aimed at preserving
strategic advantage over the foreign adversary than over a domestic political competitor
were, just like in the case of the announcement following the elimination of
Osama bin Laden in Abbottabad, undoubtedly targeted also, if not primarily, at
putting at a disadvantage a political rival who lacked a track record or proven
capability in foreign affairs.
It should also be noted that the
intelligence agencies of many countries routinely penetrate and probe foreign
computer systems. Military-grade malware is characteristically developed years
ahead of its actual use - but also years ahead of conventional software tools. Virtual
“sleeper agents” are planted and maintained subject to activation at a later
point in time, but also to test the target’s analytic and remedial defensive
capabilities. Sometimes detection is actually desired as a warning, but in most
instances it is not. Offensive tools today have a far shorter half life than
defensive measures. Yet the preparation of a highly effective stealth attack is
not only resource-intensive but also typically very specific – not least to
avoid collateral damage in other infected computer systems – and often can be
activated only once.
Great danger follows from
inevitable “dual use” of technology that cannot be safely contained even in the
medium term: spillovers into the hands of corporate or private players are
inevitable and have already occurred. Intrusions by camera-equipped small
private drones or targeted assassinations by unmanned combat aerial vehicle may
eventually render the protection tasks of the Secret Service virtually
impossible. Equally likely is the development of a multitude of Cold Wars well below
the threshold of conventional military confrontation. They can be used to
inflict considerable economic damage yet avoid triggering major alliances. U.S.
and NATO cyber warfare doctrine regarding offensive capabilities re-established
conventional pre-1989 Cold War logic instead of focusing at a much higher level
on defensive efforts. Whether this will prove adequate in light of the nature
and level of evolving threats remains to be seen but is unlikely.
There is very little doubt that
digital technology was, is, and will continue to be used for both strategic and
tactical military purposes, both defensive and offensive in nature. But it is
equally apparent that cyber warfare will cause a paradigm shift of as yet
inestimable proportions. This is so because, on the one hand, cyber warfare has
the potential of minimizing human casualties dramatically. On the other hand,
it severely curtails the cost of operations that have the potential to weaken
or impede decisively and even disable a prospective military adversary. As in
other such cases of contemporary genesis, it is not the technology itself that
will remain the real and paramount challenge, but rather the appropriate
integration of technology with far-reaching military uses into the arsenal of
an open society, and the maintenance of a tolerable balance between the
potential of its digital resources and its values.
[This text has been adapted from
my Working Paper Series article: Caytas, Joanna Diane, Cyber Warfare as a
Superficially Tempting Low-Level Engagement Strategy (April 26, 2013).
Available at SSRN: http://ssrn.com/abstract=2348852]
No comments:
Post a Comment