Authors: Bobby Akart
Cyber Warfare (12 page)
Snowden’s allegations of massive cyber spying by the National Security Agency and close American allies have raised worldwide fears about the security and privacy of the Internet.
Russia and Iran have been accused of launching covert cyber espionage against political and economic targets in the U.S. According to reports, it appears Russian hackers attempted to place a
digital bomb
inside the NASDAQ stock exchange networks.
Fears are growing that, similar to the outbreak of World War I a century ago, a cyber event—the equivalent of the Serbian gunman’s assassination of the Austro-Hungarian Duke in Sarajevo—could escalate into an outright cyber war with dire consequences around the world.
Cyber warfare is one of the most misused terms in the cyber dictionary. The U.S. Strategic Command defines cyber warfare as:
The Creation of effects in and through cyberspace in support of a combatant commander's military objectives, to ensure friendly forces freedom of action in cyberspace while denying adversaries these same freedoms
.
There are traditional definitions as to what constitutes an act of war, and the cyber version is only slightly different. Cyber warfare has been defined as an action, or series of actions, by a military commander or government-sponsored cyber warriors that further his or her objectives, while disallowing an enemy to achieve theirs. Military leaders typically belong to a nation-state or a well-funded, overt and organized insurgency group (as opposed to loosely organized rebels, crime syndicates, etc.). Acting overtly in cyberspace means you are not trying to hide who you are, although it’s relatively easy to mask your tracks. The warriors of today are the cyber version of regular, uniformed forces versus irregular forces.
In 2014, Sony executives, gearing up for the release of Seth Rogen's North Korea-bashing film, The Interview, received an ominous holiday greeting—“
We’ve obtained all your internal data including your secrets and top secrets. If you don’t obey us, we’ll release data shown below to the world.
” The hackers delivered on their promise, unloading onto the internet an incredible number of emails, employee information, and all sorts of other data. Most of the actual damage involved disclosed personnel records and damaged celebrity reputations. Among other things, producer Mark Rudin called Angelina Jolie
a minimally talented spoiled brat
for delaying his film projects, and producer Amy Pascal called Leonardo DiCaprio
absolutely despicable
after he passed on a Steve Jobs biopic.
A few politicians focused on the Sony cyber attack’s political and economic implications. “It’s a new form of warfare that we’re involved in,” Senator John McCain told CNN’s State of the Union, “and we need to react and we need to react vigorously.” Senator McCain’s condemnation was in large part a response to President Obama’s earlier acknowledgment that, while indeed an act of
cyber vandalism
, the Sony cyber attack doesn’t quite qualify as an act of war. Congressman Mike Rogers, the Republican chair of the House Intelligence Committee, was more reserved in his assessment. “You can’t necessarily say an act of war,” he expressed in an interview with Fox News. Rogers identified the underlying legal problem when he admitted, “We don’t have good, clear policy guidance on what that means when it comes to cyber attacks.”
Was the cyber attack on Sony cyber—vandalism, warfare, or something else? If the Sony cyber attack didn’t cross the line into cyber warfare, what would?
After President Obama stated that the Sony hack was an act of cyber vandalism perpetrated by North Korea—and thus not an act of war, the statement was criticized by politicians, security experts and other members of the public. Before a rush to judgment is made, one must look at what constitutes an act of war. Let’s assume for the sake of this analysis that North Korea did perpetrate the attack. Was the act part of a military maneuver, directed by a commander, with the purpose of denying the enemy freedom of action while providing a tactical advantage on its end? No. The objective was to embarrass a private-sector firm and degrade or deny computing services. Under this analysis, the President is right – it’s clearly not part of a military operation. It’s on the extreme end of vandalism, but that’s all it is.
Few public examples exist of true, overt cyber warfare. Allegations have been made that the U.S., Israel, Russia, China, and Iran have engaged in cyber war at some point, but the accounts either use a looser definition of cyber war.
One of the early candidates for a textbook example of cyber war occurred during the 2008 Russo-Georgian War. Russia and Georgia engaged in armed conflict with two breakaway republics, South Ossetia and Abkhazia – both located in Georgia. Russia backed the separatists and eventually launched a military campaign. In the days and weeks leading up to Russia’s direct military intervention, hackers originating from within Russia attacked key Georgian information assets. Internet connectivity was down for extended periods of time and official government websites were hacked or completely under the attacker’s control. In addition, internal communications and news outlets were severely disrupted. All of the above would hamper the ability of Georgian military commanders to coordinate defenses during the initial Russian land attack.
Considering the Sony attack as a typical example, or perhaps a cyber attack that causes a financial market crash but, because it does not directly harm people or the infrastructure necessary for preserving life and health, doesn’t meet criteria for a conventional act of war. By accepted definitions of warfare, this may not constitute an act of war against the United States—and thus only cyber vandalism, but the affected companies might disagree.
Chapter Twelve
When is it an act of war? What is an appropriate response?
In 2012, former Defense Secretary Leon Panetta stood inside the Intrepid Sea, Air and Space Museum moored in New York and addressed an audience of business executives. He informed them of one of the most important conversations being held inside the corridors of the United States government.
Pearl Harbor was one of the most tragic moments in American history. Japanese bombers unleashed a devastating surprise attack on a U.S. naval base in Hawaii on that seventh day of December in 1941, killing twenty-four hundred Americans and wounding another thirteen hundred. President Franklin D. Roosevelt called it
a date that will live in infamy
during his speech asking Congress for a declaration of war.
Sixty years later, another surprise attack killed almost three thousand people when Muslim terrorists flew two airplanes into New York’s World Trade Center towers and the Pentagon. Panetta referenced the September 11, 2001, strikes, warning that the United States is in a
pre-9/11 moment
, with critical computer systems vulnerable to assault.
He told the businessmen that America is vulnerable to a
cyber Pearl Harbor.
An act of war by military means is apparent. By mentioning two of the most egregious attacks in U.S. history, Panetta effectively raised a sense of urgency about the threat in the cyber domain.
But when does a cyber attack give rise to an act of war?
Panetta called the Saudi Aramco assault, along with a similar strike on Qatar’s RasGas,
probably the most destructive attack
on the private sector to date. These highly destructive attacks crossed the line from cyber vandalism to cyber war said one U.S. official, who declared it a
watershed moment
in the new age of digital warfare. Attacks on critical infrastructure go beyond the troubling—but all-too-familiar—thefts of data and disruption of Web sites. They threaten the lives of human beings, especially the vulnerable.
Unlike the Japanese planes at Pearl Harbor, the cyber attacks on ARAMCO and RasGas had no visible digital footprints that gave away its origins. Privately, sources in the intelligence community believe the invader was sponsored by Iran.
If the Iranians are responsible, what was the motive? In the view of some pundits, Iran was striking back for sanctions imposed upon it with the complicity of the Saudi kingdom’s support for an oil embargo. Another theory surrounded the damage done to Iran’s nuclear program by Stuxnet, which slowed the country’s pursuit of a nuclear weapon by destroying nearly one thousand uranium-enrichment centrifuges.
The Shamoon attack on Saudi Aramco did not cause enough physical damage to rise to what international law experts call an armed assault—thus an act of war. Consider this. What if something like it happened to Exxon, Shell and BP operations in the United States? What if it could be traced conclusively to a foreign government or a terrorist group? How much damage, pain, and fear would need to result before administration officials would say, “This is an act of war”?
There does not seem to be a definitive agreement by the State Department and Pentagon officials on this issue. Japan’s attack on Pearl Harbor was a direct assault on a U.S. military installation—clearly, an act of war. But much of the nation’s critical infrastructure networks belong to the private sector. Companies that provide transportation, water, telecommunications, and energy could become targets for adversaries determined to put America in the dark. That simple fact has led to a complicated set of questions for policymakers responsible for the nation’s security.
Should the U.S. government step in to prevent a destructive cyber attack upon privately owned and operated utilities? Assuming the cyber terrorism can be conclusively traced to another nation or a terrorist group, when should the U.S. retaliate and to what extent? Under what circumstances should our government make pre-emptive use of cyber weapons to alter a nation-state’s agenda or behavior?
By way of example, if a significant cyber attack is initiated, such as a virus knocking out air traffic control and wreaking havoc on the airline system, what would be the appropriate response of our government? It is likely the President and the National Security Council would focus first on what type of reply would be proportionate, justified, and necessary and in the U.S. interest. It might be a military response. It might be retaliation in cyber space. It might be the exposure of the attacker before the United Nations, demanding the imposition of sanctions. With the problems of attribution, it might be no response at all.
Deciding what amounts to an act of war is more a political judgment than a military or legal one. General James Cartwright, former vice chairman of the Joint Chiefs of Staff, was quoted as saying
an act of war is in the eye of the beholder
. Typically, an act of war requires international consensus.
If the United States didn’t go to war with North Korea after it sank a South Korean warship in 2010, nor with Iran after the U.S. Embassy in Tehran was seized in 1979, would the American people accept a war over a power outage? The administration has defined an armed attack in cyberspace as one that results in death, injury or significant destruction. Here’s the rule of thumb as expressed by policymakers:
If the physical consequences of a cyber attack work the kind of physical damage that dropping a bomb or firing a missile would, that cyber attack should equally be considered a use of force
. If an attack reaches those levels, then a nation has a right to act in
self-defense
.
The more severe cases will look something like what happened to Saudi Aramco, Ashley Madison’s website and Sony Pictures. Economic damage or embarrassment alone does not give rise to a right of self-defense in the form of a military response. Those instances are certainly not worthy of an armed response, although the affected companies might disagree.
A more complicated scenario—a cyber attack on Wall Street computers that sends the markets into a tailspin and causes ripple effects throughout the economy, might generate sufficient economic damage on the nation’s economy to warrant a more severe response. Although such an attack would be difficult to implement, it is one of those low-probability, high consequence events that cyber experts fear.
In the United States, senior policymakers have been wrestling with these very issues. The Saudi Aramco and Sony Picture attacks have raised awareness and the sense of urgency, making the cyber threat all the more plausible. As one U.S. intelligence official was reported as saying, “this was a deliberately disruptive event, done on purpose, not by some rogue hacker. Not some out-of-control operative.”
Panetta further elaborated on this in his speech, saying “If a crippling cyber attack were launched against our nation, the American people must be protected.” But what is the definition of
crippling
? What exactly would the role of the military be? Perhaps we will know the results of those closed door discussions when the cyber attack occurs.
Apparently, officials have done a lot of work on how the government would respond to individual attacks. “We feel we’re very prepared to answer that question if it should come up in the case of the United States,” said one senior Pentagon official in a Washington Times interview. But he would not get into hypotheticals, such as whether a cyber attack that caused a drop in the stock market or a huge increase in gas prices would trigger a military response.
“Those are always classified things,” he said. “It’s not helpful for the United States to give the enemy our detailed position on whether something is an attack on the nation and when it is not.”
Makes sense. Why tell other nations what the United States is willing to tolerate before it responds forcefully? One might argue deterrence. We have maintained a vast nuclear arsenal under the guise of deterrence. Why not show our hands to prevent an attack, rather than respond to one which has a devastating impact on our nation’s infrastructure.
Toward that end, the U.S. and its allies may be moving toward a greater strategic use of cyber weapons to dissuade adversaries from using cyber attacks against them. This can be good if it averts war. On the other hand, it could cause other nations to feel vulnerable. Some experts foresee a potential cyber arms race as nation-states try to maintain an edge.
