Cybersecurity and Cyberwar (26 page)

The scary realization waiting for us in the twenty-first century may be that these twentieth-century strategists had it easy. Threat assessments in cyberspace may be even more difficult.

The nature of vulnerabilities in cyberspace makes assessing them extremely difficult. While it's easy to look at a map of your country and figure out likely approaches of attack (for instance, “My enemy is more likely to attack across this open plain than through these rugged mountains”), the very term “zero day” illustrates the problem in cyberspace. The vulnerabilities that are most often targeted are the ones that no one but the attacker knows about.

Similarly, a key element of any threat assessment is the capability of the adversary and its weapons. While you may not always have perfect information about an enemy's current or next generation of weapons, there have traditionally been at least some bounds that could be placed around any assessment. At the bare minimum, you could at least “ballpark” estimate a threat based on what the last generation of weapons could do, your own experience with similar weapons, and perhaps most of all, the basic laws of physics. An enemy might surprise you with a new tank, but it wouldn't drive 1,000 miles per hour faster than a current version.

Cyber weapons, by comparison, are not bound by the same laws of physics. Each new piece of malware can be designed in very different ways to do very different things. That is, their nonphysical nature means that they can be produced and stored in a manner and number that makes the already tough task of threat assessment an order of magnitude more difficult. During the Cold War, the United States could watch Soviet tank, ship, or missile factories to see what was going in and then leaving the assembly line. They would then watch Red Army bases to see how many weapons were stored and the rough order of battle they were organized into, and then track movements to and from these bases to see where units and their weapons were headed. We may have frequently gotten the count wrong, as LBJ explained, but at least there were “things” to count. With malware, there are no factories, no storage yards, and of course, no things.

This nonphysical nature of cyberthreats becomes even more important when trying to assess a potential adversary's actions and intent. With physical weaponry, there are sometimes tea leaves that can be read as telltale signs that trouble might be coming, whether
it's an enemy fleet headed out to sea or reservists reporting to duty. The cyber realm doesn't have this, and the waters are made even murkier by the problem of attribution; pinpointing an adversary is difficult in a world filled with so many different potential state and nonstate players. And, even if you know that you're being targeted and by whom, determining the adversary's actual intent can be tremendously difficult. Someone could be targeting your systems, but the goal might be to gather intelligence, steal information, shut down your operations, or just show off the hacker's capability. Threat assessment is about predicting the likely risks. But in cyberspace, many of these risks will remain undiscovered until after an attack takes place.

Given all this uncertainty, the main lesson for threat assessment in cyberspace goes back to the problem that Enthoven and the general faced in the early days of nuclear weapons. Instead of claiming any kind of perfect knowledge in the midst of any cyber crisis, we should instead recognize our inherent limitations and uncertainties and act accordingly. As one former Justice Department cybersecurity official put it, “I have seen too many situations where government officials claimed a high degree of confidence as to the source, intent, and scope of an attack, and it turned out they were wrong on every aspect of it. That is, they were often wrong, but
never in doubt
.”

In 2009, American soldiers captured an insurgent leader in Iraq. As they went through the files on his laptop computer, they made a remarkable discovery: he'd been watching them watch him.

A key part of the US military effort was the fleet of unmanned systems (“drones”) that flew overhead, gathering intelligence on the insurgent force, tracking their movements and beaming back video to US Air Force pilots on the ground. But inside the captured leader's laptop were “days and days and hours and hours of proof” that the digital feeds were being intercepted and shared among the
various insurgent groups
. The insurgents had evidently figured out how to hack and watch the drones' feed, like a robber listening in on a police radio scanner. Even more disturbing to the US soldiers was how the insurgents had pulled it off. It turned out they were using commercially available software originally designed by college kids
to illegally download satellite-streamed movies. Skygrabber, as it was known, cost as little as $25.95 on a Russian website.

Examples like this lead many to believe that cyberspace is one of those strange places where the weak have an advantage over the strong. On one hand, the barriers to entry to developing cyberattack capabilities are relatively low, especially compared to building up more traditional military capabilities. For instance, it cost the United States roughly $45 million for the unmanned plane system and several billion dollars for the space satellite network that its feed traveled over. The $25.95 spent on illegal software to undermine those systems was a pretty good bargain. As the head of Israeli military intelligence has explained, “Cyberspace grants small countries and individuals a power that was heretofore the
preserve of great states
.”

However, the real worry for states like the United States is not just that others can now build up cyberthreats but that traditional strengths are proving cyber vulnerabilities. As director of national intelligence from 2007 to 2009, Mike McConnell oversaw a surge of US cyberwar capabilities, funded by tens of billions of dollars, that culminated in the development of weapons like Stuxnet. But instead of feeling more confident about where the United States stood in cybersecurity after this effort, McConnell testified to the Senate, “If the nation went to war today, in a cyberwar, we would lose. We're the most vulnerable. We're the most connected. We have
the most to lose
.”

Unlike many of its potential adversaries in this space, the United States and especially the US military is highly reliant on computer networks for everything from communications to electricity (the vast majority of electrical power used by US military bases, for instance, comes from commercial utilities using a fairly vulnerable power grid). So cyberattacks of equivalent strength would have far more devastating consequences on the United States than on potential adversaries like China, whose military is still less networked, let alone a cyber pygmy like North Korea, whose economy never entered the information age. As former NSA official Charlie Miller explains, “One of North Korea's biggest advantages is that it has hardly any Internet-connected infrastructure to target. On the other hand, the United States has
tons of vulnerabilities
a country like North Korea could exploit.”

This creates the strange irony of cyberwar. The more wired a nation, the more it can take advantage of the Internet. But the more wired a nation, the more it can potentially be harmed by those using the Internet maliciously. To think of it another way, the nations most skilled at throwing rocks live in the biggest glass houses.

That nations like the United States are feeling increasingly vulnerable is not, however, a sign that the strong are toothless in the cyber realm or even that the weak are now at an advantage. As Joseph Nye, a former Pentagon official and dean of the Harvard Kennedy School, writes, “Power diffusion is not the same as
power equalization
.”

Nonstate groups and weaker states can certainly now play in a game that was once out of their reach. But that doesn't mean they have the same resources to bring to bear in it. The most strategic cyberattacks, as opposed to ones that prove a nuisance or merely have a disruptive effect, combine sophisticated new weapons with vast economic and human resources, sometimes outside the cyber realm. What made Stuxnet so effective was that it combined multiple new exploits built into the weapon's design and that it was specifically targeted to hit a precise configuration of centrifuges that painstaking intelligence had identified at an Iranian facility. It had even been tested on an expensive
dummy set of centrifuges
built just for the effort. Low-end actors can now carry out copycat attacks, but the cyber powers that will break new ground or have the most lasting and sustained effects are still likely to be the major powers. The configuration of power has something old and something new: “Governments are still top dogs on the Internet,” as Nye puts it, “but
smaller dogs bite
.”

The true advantage for the strong in these cyber conflicts and arms races may come, however, from their powers outside the cyber realm. While the small groups and weak states are now able to create more cyberthreats, the powerful still retain what is known as “
escalation dominance
.” As we saw in the earlier discussion of US cyber deterrence strategy, if things go poorly in the cyber realm, the United States “reserves the right” to take the matter outside cyberspace, where it might have a clearer advantage.

Being powerful means you have the choice. Being weak means you don't. The insurgents in Iraq would rather have had the drones
than just their pirated video feed. That's why it still pays to be the stronger in battle, even on a cyber battlefield.

“Whatever the question, to attack was always the answer.”

Attaque à outrance
, or “Attack to excess,” was a concept that took hold in European military circles at the turn of the last century. The idea was that new technologies like the railroad and telegraph gave an advantage at the strategic level to whichever nation could mobilize first and go on the offensive, while new technologies like the fast-firing cannon, machine guns, and rifles meant that the troops who showed the greatest offensive élan (a concept that combined both willpower and dash) would always carry the day on the battlefield. The philosophy gained huge popularity. In Germany, it drove the adoption of the Schlieffen Plan (which envisioned a rapid mobilization of Germany's army to first knock out France to its west with a lightning offensive and then swing to face Russia to the east), while in France it was actually written into
military law in 1913
that the French army “henceforth admits no law but the offensive.”

There were only two problems with
Attaque à outrance
, an idea that historians now call the “
cult of the offensive
.” The first was that it drove the European powers into greater and greater competition and ultimately war. When crisis loomed after the assassination of Archduke Franz Ferdinand in 1914, few thought it worth going to war. But soon the sides feared that they were losing a tight window of opportunity during which to mobilize to their advantage, or even worse, that they would be caught helpless. Fear of being on the defensive prompted the powers to move to the offensive, launching their long-planned attacks as part of a war most didn't want.

The second problem was even worse. These new technologies didn't actually give the offense the advantage. Once the war started, it became clear that “attacking to excess” against fast-firing artillery, rifles, and machines guns was not the way to quick victory, but rather to a quick death. A bloody stalemate of trench warfare instead resulted.

This question of whether a new technology favors the offense or the defense is a critical one for cybersecurity, as it might similarly shape everything from the likelihood of war to how governments and even businesses should organize themselves. For the most part, there is a general assumption that cyberattack has the advantage against cyber defense. As one Pentagon-funded report concluded in 2010, “The cyber competition will be
offense-dominant for the foreseeable future
.”

This assumption is what has helped drive the larger spending on cyber offense by militaries around the world. Their basic thinking behind the offense's advantage is that “It will be
cheaper and easier
to attack information systems than it will be to detect and defend against attacks.” Compared to traditional military capabilities, those needed to put together a cyberattack are relatively cheap. More importantly, the attackers have the initiative, the advantage of being able to choose the time and place of their attack, whereas the defender has to be everywhere.

This is true with any weapon, but in cyberspace a few other factors kick in. While in the physical world territory is relatively fixed, the amount of “ground” that the defender has to protect is almost always growing in the cyber world, and growing exponentially. The number of users on computer networks over time is an almost constant upward curve, while the number of lines of code in security software, measured in the thousands two decades ago, is now well over
10 million
. By comparison, malware has stayed relatively short and simple (some is as succinct as just 125 lines of code), and the attacker only has to get in through one node at just one time to potentially compromise all the defensive efforts. As the director of the Defense Advanced Research Project Agency (DARPA), put it, “Cyber defenses have grown exponentially in effort and complexity, but they continue to be defeated by offenses that require far
less investment by the attacker
.”

Just as before World War I, however, the story of the offense's inherent advantage is not so simple. The cyberattacks that are truly dangerous require a great deal of expertise to put together. And while they might play out in terms of microseconds, they often take long periods of planning and intelligence gathering to lay the groundwork. Neither Rome nor Stuxnet was built in a day, so to speak. This means that crippling attacks out of the blue, the ultimate
threat from the offense's advantage, are not as easy to pull off in the cyber world as is often depicted.